Summary of the invention
In view of the above problems, the present invention has been proposed to provide a kind of checking and killing virus client that overcomes the problems referred to above or address the above problem at least in part and checking and killing virus server and corresponding checking and killing virus method.
Further object of the present invention is to improve the efficiency of checking and killing virus.
Another further object of the present invention is the pressure that will reduce checking and killing virus server.
According to one aspect of the present invention, provide a kind of checking and killing virus method.This checking and killing virus method comprises: the checking and killing virus script that checking and killing virus client is issued by checking and killing virus server, and checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling; Use the executable code that in checking and killing virus client, preset compiler becomes to mate with checking and killing virus client place hardware platform by checking and killing virus script compile; By checking and killing virus client call executable code, file to be checked is carried out to checking and killing virus.
Alternatively, use compiler preset in checking and killing virus client that checking and killing virus script compile is become with the executable code of checking and killing virus client place hardware platform coupling to comprise: by compiler preset in checking and killing virus client, checking and killing virus script compile to be become to file destination, and file destination is linked into the executable code mating with checking and killing virus client place hardware platform.
Alternatively, by checking and killing virus client call executable code, file to be checked being carried out to checking and killing virus comprises: obtain file to be checked; Identify the file layout of file to be checked; According to the data structure of File Format Analysis file to be checked; By checking and killing virus client call executable code, data structure is carried out to checking and killing virus.
Alternatively, by checking and killing virus client call executable code, data structure being carried out to checking and killing virus to file to be checked comprises: the data characteristics of being extracted ad-hoc location in data structure by checking and killing virus client according to the arithmetic logic of executable code; Judge whether data characteristics meets the viral decision condition in executable code; If so, determine file including virus to be checked.
Alternatively, after determining file including virus to be checked, also comprise: the option of operation that output is processed virus, and according to the operation of option of operation is processed file to be checked.
Alternatively, obtaining file to be checked comprises: receive and by user, the selection of file type or file storage directory is operated; Extraction belongs to the file under file type or file storage directory.
Alternatively, the file layout of identifying file to be checked comprises: the suffix filename that extracts file to be checked; Determine the file layout of file to be checked according to suffix filename.
Alternatively, after using the executable code that in checking and killing virus client, preset compiler becomes to mate with checking and killing virus client place hardware platform by checking and killing virus script compile, also comprise: executable code is saved in local virus library.
According to another aspect of the present invention, also provide a kind of checking and killing virus client.This checking and killing virus client comprises: receiver, be configured to receive the checking and killing virus script being issued by checking and killing virus server, and checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling; Compiler, is configured to the executable code that checking and killing virus script compile is become to mate with checking and killing virus client place hardware platform; Killing device, is configured to call executable code file to be checked is carried out to checking and killing virus.
Alternatively, compiler comprises: collector, is configured to checking and killing virus script compile to become file destination; Link module, is configured to file destination to be linked into the executable code mating with checking and killing virus client place hardware platform.
Alternatively, killing device comprises: acquisition module, is configured to obtain file to be checked; Identification module, is configured to identify the file layout of file to be checked; Parsing module, is configured to according to the data structure of File Format Analysis file to be checked; Execution module, is configured to call executable code data structure is carried out to checking and killing virus.
Alternatively, execution module is also configured to: the data characteristics of extracting ad-hoc location in data structure according to the arithmetic logic of executable code; Judge whether data characteristics meets the viral decision condition in executable code; If so, determine file including virus to be checked.
Alternatively, killing device also comprises: virus treated module, be configured to the option of operation that output is processed virus, and according to the operation of option of operation is processed file to be checked.
Alternatively, acquisition module is also configured to: receive and by user, the selection of file type or file storage directory is operated; Extraction belongs to the file under file type or file storage directory.
Alternatively, identification module is also configured to; Extract the suffix filename of file to be checked; Determine the file layout of file to be checked according to suffix filename.
Alternatively, above-mentioned checking and killing virus client also comprises: storer, is configured to executable code to be saved in local virus library.
According to another aspect of the present invention, also provide a kind of checking and killing virus method.This checking and killing virus method comprises: generate file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of instruction is written as to checking and killing virus script; Issue checking and killing virus script to checking and killing virus client, the executable code that checking and killing virus script compile is become to mate with checking and killing virus client place hardware platform for checking and killing virus client, and call executable code and carry out checking and killing virus.
Alternatively, after being written as to checking and killing virus script, the set of instruction also comprises: checking and killing virus script is debugged to checking.
Alternatively, before generating according to virus characteristic the instruction of file to be checked being carried out to virus characteristic coupling, also comprise: obtain virus document sample; From virus document sample, extract virus characteristic.
According to another aspect of the present invention, also provide a kind of checking and killing virus server.This checking and killing virus server comprises: script generation module, is configured to generate file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of instruction is written as to checking and killing virus script; Script issues module, be configured to issue checking and killing virus script to checking and killing virus client, the executable code that checking and killing virus script compile is become to mate with checking and killing virus client place hardware platform for checking and killing virus client, and call executable code and carry out checking and killing virus.
Alternatively, checking and killing virus server provided by the invention also comprises: debugging module, is configured to checking and killing virus script to debug checking.
Alternatively, checking and killing virus server provided by the invention also comprises: virus characteristic extraction module, is configured to obtain virus document sample, and extracts virus characteristic from virus document sample.
According to another aspect of the present invention, also provide a kind of checking and killing virus system.This checking and killing virus system comprises: above any checking and killing virus client of introducing; And above any checking and killing virus server of introducing.
Checking and killing virus method of the present invention issues unified checking and killing virus script, be compiled into corresponding executable code by compiler preset in checking and killing virus client, than issue corresponding virus characteristic storehouse and checking and killing virus engine for different platform in checking and killing virus server, the data volume issuing is little, the working pressure that has greatly alleviated checking and killing virus server, treatment effeciency is higher.
Further, checking and killing virus client of the present invention is used the code after compiling to carry out checking and killing virus, than existing code interpreter executive mode, has greatly improved checking and killing virus efficiency.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
According to the detailed description to the specific embodiment of the invention by reference to the accompanying drawings below, those skilled in the art will understand above-mentioned and other objects, advantage and feature of the present invention more.
Embodiment
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
Fig. 1 is the schematic diagram of checking and killing virus system according to an embodiment of the invention, and this checking and killing virus system comprises: the checking and killing virus server 200 that at least one checking and killing virus client 100 connects by network data with it.The checking and killing virus script of writing according to newfound virus characteristic is handed down to checking and killing virus client 100 by checking and killing virus server 200, is compiled into executable code for checking and killing virus by compiler preset in checking and killing virus client 100.
Different from checking and killing virus system of the prior art, the script that checking and killing virus server 200 is handed down to the checking and killing virus client 100 of different platform is identical, it is the checking and killing virus script that general code (for example meeting the code of C or C Plus Plus rule) is write, the executable code that is compiled into coupling by checking and killing virus client 100 carries out checking and killing virus, without checking and killing virus server 200, the identical code compilation of killing logic for same virus is become to different versions, reduce the pressure of checking and killing virus server 200, improved viral response speed simultaneously, and because checking and killing virus client 100 compiles virus killing script, carry out than explaining, speed is faster, killing efficiency is higher.
Fig. 2 and Fig. 3 are respectively the schematic diagram of checking and killing virus client 100 and checking and killing virus server 200 according to an embodiment of the invention, wherein, the checking and killing virus client 100 of the embodiment of the present invention can comprise in general manner: receiver 110, compiler 120, killing device 130, the checking and killing virus server 200 of the embodiment of the present invention can comprise in general manner: script generation module 210, script issues module 220, in some preferred embodiments, the checking and killing virus client 100 of the embodiment of the present invention can also increase and is provided with storer 140, the optional structure of one of compiler 110 is for comprising: collector 122 and link module 124, the optional structure of one of killing device 130 is for comprising: acquisition module 131, identification module 132, parsing module 133, execution module 134, virus treated module 135.The checking and killing virus server 200 of the embodiment of the present invention can also increase and is provided with debugging module 230 and virus characteristic extraction module 240.The function that parts in above checking and killing virus client 100 and checking and killing virus server 200 can need to possess according to embodiment and concrete environment for use are configured flexibly, in some optional embodiment, can possess above all parts.
In the checking and killing virus client 100 of the present embodiment, receiver 110 can receive the checking and killing virus script being issued by checking and killing virus server, this checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling, these instructions can be used the general code of multiple hardware platforms to generate according to virus characteristic, for example this checking and killing virus script as required the viral feature of killing such as, write according to general language rule (C and C++ etc.), this viroid killing script can be compiled into the executable code that different platform can be carried out neatly.
The executable code that compiler 120 can become to mate with checking and killing virus client place hardware platform by checking and killing virus script compile.Compiling is the translation process from source code (being generally higher level lanquage) to the object code (being generally low-level language or machine language) of can be directly being carried out by computing machine or virtual machine.For different hardware platforms or operating system, the object code that can carry out is different, common processor architecture comprises x86 framework (can be subdivided into again 16,32,64), reduced instruction set computer framework (RISC), distinguish according to operating system, can be divided into again Windows, Linux, Android, and with a series of operating system, the executable code of the operating system of different editions is also distinguishing.In prior art, in the face of a large amount of different types of systems and platform, need to issue respectively different feature databases or killing program, waste a large amount of resources.In the checking and killing virus client 100 of the present embodiment, compiler 120 is arranged at client-side, only unified script compile need to be become meet the object code of self needs, has greatly reduced the pressure of server side.
Compiler 120 specifically can comprise: collector 122 and link module 124, and wherein collector checking and killing virus script compile becomes file destination; Link module 124 is linked into file destination the executable code mating with checking and killing virus client place hardware platform.Generally speaking, source code need to be treated to object code (object code) through compiling (compiler), then also need to be converted to executable program (executables) through link (linker), could be carried out by hardware device.The script that namely high level language becomes is through the processing of collector 122, be compiled into the target byte code (Byte Code) of common intermediate language (MSIL/CIL), additional object code storehouse is linked as an executable file by link module 124, for checking and killing virus.Link module 124 need to be resolved undefined symbolic reference, the placeholder in file destination is replaced with to the address of symbol.
Killing device 130 calls executable code file to be checked is carried out to checking and killing virus.Wherein acquisition module 131 is configured to obtain file to be checked, for example, receive by user the selection of file type or file storage directory is operated; Extraction belongs to the file under file type or file storage directory; Identification module 132 is identified the file layout of file to be checked, for example, extract the suffix filename of file to be checked; Determine the file layout of file to be checked according to suffix filename; Parsing module 133 is configured to according to the data structure of File Format Analysis file to be checked; Execution module 134 is configured to call executable code data structure is carried out to checking and killing virus.
A kind of killing flow process of execution module 134 is: the data characteristics of extracting ad-hoc location in data structure according to the arithmetic logic of executable code; Judge whether data characteristics meets the viral decision condition in executable code; If so, determine file including virus to be checked.The data characteristics assigned address for example parsing at parsing module 131 is found out side-play amount, then draws the data characteristics of reposition through calculations of offset, and this feature and Virus Sample feature are compared.Just can think that to coupling this file exists the virus of killing when there are one or more aspect ratios.
The killing object of killing device 130 can be transplantable execution body (Portable Execute is called for short PE file), can be also non-PE file.For PE file, obtain file instruction sequence, import the data structure features such as function name, derivative function name and character visible string by parsing module 131, utilize above instruction sequence, import one or more coupling the in function name, derivative function name and character visible string.The file object that different file layouts can be set for non-PE file in execution environment, the file layout that wherein can arrange includes but not limited to Doc, xml, ppt, pdf, swf, Apk, Bat, ini, vbs, js.For different file layouts, can utilize corresponding execution environment to resolve and feature extraction coupling, complete viral killing.
Call executable code at execution module 134 data structure is carried out to checking and killing virus, confirm to exist file to occur after safety problem, virus treated module 135 is exported the option of operation that virus is processed, and according to the operation of option of operation is processed file to be checked.Option of operation can comprise: deletes, isolates, ignores etc., selected by user, or in the time that user selects, the operation of giving tacit consent to.
Storer 140 can also be saved to executable code in local virus library, for follow-up checking and killing virus operation.
In the checking and killing virus server 200 of the present embodiment, script generation module 210 generates file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of instruction is written as to checking and killing virus script, namely use the general code command of multiple hardware platforms to generate checking and killing virus script according to virus characteristic.Checking and killing virus server 200 is uploaded after new Virus Sample intercepting or receive, and extracts by analysis virus characteristic, generates checking and killing virus script by script generation module.Script issues module 220 for to issue checking and killing virus script to checking and killing virus client 100, the executable code that checking and killing virus script compile is become to mate with checking and killing virus client 100 place hardware platforms for checking and killing virus client 100, and call executable code file to be checked is carried out to checking and killing virus.Checking and killing virus server 200 is completing checking and killing virus script and just can directly issue the checking and killing virus client 100 of different platform, than prior art, faster for the reaction velocity of new samples, treatment effeciency is higher.
Generate after checking and killing virus script in script generation module 210, can also utilize debugging module 230 to debug checking to checking and killing virus script, confirm the validity of checking and killing virus script, different running environment compiling checking and killing virus scripts be set and carry out, confirming its killing validity to test sample book.
The virus characteristic that script generation module 210 is used can be extracted by virus characteristic extraction module 240, and particularly, virus characteristic extraction module 240 can obtain virus document sample, and analyzes and extract virus characteristic from virus document sample.The method that virus characteristic extraction module 240 obtains virus document sample can be used various ways, for example, tackle the file of Internet Transmission, the apocrypha that reception checking and killing virus client 100 is uploaded, and the present embodiment does not limit this.
The checking and killing virus system of the embodiment of the present invention, than existing mode, checking and killing virus server 200 is handed down to identical checking and killing virus script the checking and killing virus client 100 of different platform, by checking and killing virus client 100 Complied executings, improve the reaction velocity of checking and killing virus server 200 to new discovery virus, improved killing efficiency.
The embodiment of the present invention also provides checking and killing virus method, can be carried out by any checking and killing virus client 100 and the checking and killing virus server 200 introduced above respectively.To improve checking and killing virus efficiency, Fig. 4 and Fig. 5 are respectively the schematic diagram of two-strain checking and killing method according to an embodiment of the invention, and wherein at checking and killing virus server side, checking and killing virus method comprises:
Step S402, generates file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of instruction is written as to checking and killing virus script;
Step S404, issues checking and killing virus script to checking and killing virus client.The executable code that the checking and killing virus script issuing can become to mate with checking and killing virus client place hardware platform by checking and killing virus script compile for checking and killing virus client, and call executable code file to be checked is carried out to checking and killing virus.
Before step S402, can also obtain in several ways virus document sample; From virus document sample, extract virus characteristic, as the basis that generates checking and killing virus script.The method of obtaining virus document sample can be used various ways, for example, tackle file, the apocrypha that reception checking and killing virus client 100 is uploaded etc. of Internet Transmission.
Complete after checking and killing virus script at step S402 in addition, can also debug checking to checking and killing virus script.Debugging checking can be carried out perfect to checking and killing virus script, ensure its reliability and validity, for example put different running environment compiling checking and killing virus scripts and carry out, confirming its killing validity to test sample book, and modifying in time in the time that test effect goes wrong.
Below the optional flow process of one that malicious killing server carries out after the new Virus Sample of discovery: receive the apocrypha of uploading, checking and killing virus slip-stick artist confirms to comprise in apocrypha new virus characteristic, and need to modify to existing virus characteristic storehouse, now, specify corresponding killing algorithm according to the feature of this new virus, generate file to be checked is carried out to the instruction of virus characteristic coupling according to killing algorithm, then these instructions are combined and are written as checking and killing virus script, thereby this checking and killing virus script can be carried out this virus characteristic killing algorithm.Can carry out debugging checking repeatedly in the process that generates checking and killing virus script, until confirm that this virus killing script can carry out killing to this virus exactly, killing effect reaches requirement.Then this virus killing script is handed down to various checking and killing virus clients.
Wherein, at client-side, checking and killing virus method comprises:
Step S502, the checking and killing virus script that checking and killing virus client is issued by checking and killing virus server;
Step S504, uses the executable code that in checking and killing virus client, preset compiler becomes to mate with checking and killing virus client place hardware platform by checking and killing virus script compile;
Step S506, carries out checking and killing virus by checking and killing virus client call executable code to file to be checked.
Above checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling, for example, can use the general instruction code of multiple hardware platforms to generate according to virus characteristic by checking and killing virus server.For example this checking and killing virus script as required the viral feature of killing such as, write according to general language rule (C and C++ etc.), this viroid killing script can be compiled into the executable code that different platform can be carried out neatly.Such as in script, can utilize the basic instruction set such as arithmetical operation, logic judgement, skip instruction, loop statement, comparison statement to complete extraction and the comparison to virus characteristic.
A kind of compiling flow process of step S504 can be: by compiler preset in checking and killing virus client, checking and killing virus script compile is become to file destination, and file destination is linked into the executable code mating with checking and killing virus client place hardware platform.The code of checking and killing virus script need to be treated to object code (object code) through compiling (compiler), is performed the file that killing user specifies after link (linker) is converted to executable program (executables).In compilation process, can also check script, report in time raising reliability for the grammer problem occurring in script.
A kind of killing flow process of step S506 comprises: obtain file to be checked; Identify the file layout of file to be checked; According to the data structure of File Format Analysis file to be checked; By checking and killing virus client call executable code, data structure is carried out to checking and killing virus.Wherein, file to be checked can for the file under file type or the assigned address of user's appointment, for example, receive by user the selection of file type or file storage directory is operated; Extraction belongs to the file under file type or file storage directory.The file layout of identification file can be determined by the suffix name of file, for example, extract the suffix filename of file to be checked; Determine the file layout of file to be checked according to suffix filename.
By checking and killing virus client call executable code, data structure being carried out to checking and killing virus is specifically as follows: the data characteristics of being extracted ad-hoc location in data structure by checking and killing virus client according to the arithmetic logic of executable code; Judge whether data characteristics meets the viral decision condition in executable code; If so, determine file including virus to be checked.After determining file including virus to be checked, can also export the option of operation that virus is processed, and according to the operation of option of operation is processed file to be checked.Such as according to the variation of the key word in computer virus, feature program segment content, virus characteristic and spread path, file size, on the basis of tagsort, carry out testing, or certain file or data segment are tested and calculated and preserve its result and then according to the result of preserving, this file or data segment are tested to whether have virus characteristic etc.
Killing object can be transplantable execution body (Portable Execute is called for short PE file), can be also non-PE file.For PE file, can after parsing, obtain file instruction sequence, import the data structure features such as function name, derivative function name and character visible string, utilize above instruction sequence, import one or more coupling the in function name, derivative function name and character visible string.Can the file object for different file layouts be set in execution environment for non-PE file, the file layout that wherein can arrange includes but not limited to Doc, xml, ppt, pdf, swf, Apk, Bat, ini, vbs, js.For different file layouts, can utilize corresponding execution environment to resolve and feature extraction coupling, complete viral killing.
Confirming to exist file to occur after safety problem, the option of operation that output is processed virus can comprise: delete, isolate, ignore etc., above option is selected by user, or in the time that user selects, the operation of giving tacit consent to.
Complete after killing, the executable code after checking and killing virus script compile can also be saved in local virus library, be directly written into and call when the follow-up startup initialization for checking and killing virus engine.
Step S506 killing flow process can be utilized executable program calls application interface (the Application Program Interface of checking and killing virus script, be called for short API) complete, such as calling file operation api function, buffer zone decoding api function, and for the special API function of file layout as: MZ file place api function, api function etc. is processed in PE file processing api function, OLE file processing api function, boot section.By calling those file operation api functions, carry out following file operation, as created, delete, copy, search, call, refresh, read etc.
Utilize API to carry out file operation, internal memory operation etc.For example carry out following file operation, as created, delete, copy, search, call, refresh, read etc.
Checking and killing virus method of the present invention issues checking and killing virus script by checking and killing virus client Complied executing, checking and killing virus script and hardware and operating system platform are irrelevant, reduce the debug process of a large amount of different platforms, reduced the time of virus treated, improved efficiency.
Checking and killing virus script compile is become corresponding executable code by compiler preset in checking and killing virus client, and than prior art, the data volume issuing is little, and checking and killing virus efficiency is high.
In the instructions that provided herein, a large amount of details are described.But, can understand, embodiments of the invention can be put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.But, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them in addition multiple submodules or subelement or sub-component.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature instead of further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module of moving on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the checking and killing virus client of the embodiment of the present invention and checking and killing virus server.The present invention can also be embodied as part or all equipment or the device program (for example, computer program and computer program) for carrying out method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described instead of limit the invention, and those skilled in the art can design alternative embodiment in the case of not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has multiple such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim of having enumerated some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, illustrate and described of the present invention multiple exemplary embodiment although detailed herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the amendment that meet the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or amendments.
The embodiment of the present invention provides A1. checking and killing virus method, comprising:
The checking and killing virus script that checking and killing virus client is issued by checking and killing virus server, described checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling;
Use the executable code that in checking and killing virus client, preset compiler becomes to mate with described checking and killing virus client place hardware platform by described checking and killing virus script compile;
By executable code described in described checking and killing virus client call, described file to be checked is carried out to checking and killing virus.
A2. according to the method described in A1, wherein, use the executable code that in checking and killing virus client, preset compiler becomes to mate with described checking and killing virus client place hardware platform by described checking and killing virus script compile to comprise:
By compiler preset in described checking and killing virus client, described checking and killing virus script compile is become to file destination, and described file destination is linked into the executable code mating with described checking and killing virus client place hardware platform.
A3. according to the method described in A1, wherein, by executable code described in described checking and killing virus client call, described file to be checked is carried out to checking and killing virus and comprises:
Obtain described file to be checked;
Identify the file layout of described file to be checked;
According to the data structure of file to be checked described in described File Format Analysis;
By executable code described in described checking and killing virus client call, described data structure is carried out to checking and killing virus.
A4. according to the method described in A3, wherein, by executable code described in described checking and killing virus client call, described data structure is carried out to checking and killing virus and comprises:
Extracted the data characteristics of ad-hoc location in described data structure according to the arithmetic logic of described executable code by described checking and killing virus client;
Judge whether described data characteristics meets the viral decision condition in described executable code;
If so, determine described file including virus to be checked.
A5. according to the method described in A4, wherein, after determining described file including virus to be checked, also comprise:
The option of operation that output is processed virus, and according to the operation of described option of operation is processed described file to be checked.
A6. according to the method described in any one in A3 to A5, wherein, obtain described file to be checked and comprise:
Receive and by user, the selection of file type or file storage directory is operated;
Extraction belongs to the file under described file type or described file storage directory.
A7. according to the method described in any one in A3 to A6, wherein, the file layout of identifying described file to be checked comprises:
Extract the suffix filename of described file to be checked;
Determine the file layout of described file to be checked according to described suffix filename.
A8. according to the method described in any one in A1 to A7, wherein, after using the executable code that in checking and killing virus client, preset compiler becomes to mate with described checking and killing virus client place hardware platform by described checking and killing virus script compile, also comprise:
Described executable code is saved in local virus library.
The embodiment of the present invention also provides B9. checking and killing virus client, comprising:
Receiver, is configured to receive the checking and killing virus script being issued by checking and killing virus server, and described checking and killing virus script comprises the instruction of file to be checked being carried out to virus characteristic coupling;
Compiler, is configured to the executable code that described checking and killing virus script compile is become to mate with described checking and killing virus client place hardware platform;
Killing device, is configured to call described executable code described file to be checked is carried out to checking and killing virus.
B10. according to the client described in B9, wherein, described compiler comprises:
Collector, is configured to described checking and killing virus script compile to become file destination;
Link module, is configured to described file destination to be linked into the executable code mating with described checking and killing virus client place hardware platform.
B11. according to the client described in B9, wherein, described killing device comprises:
Acquisition module, is configured to obtain described file to be checked;
Identification module, is configured to identify the file layout of described file to be checked;
Parsing module, is configured to according to the data structure of file to be checked described in described File Format Analysis;
Execution module, is configured to call described executable code described data structure is carried out to checking and killing virus.
B12. according to the client described in B11, wherein, described execution module is also configured to:
Extract the data characteristics of ad-hoc location in described data structure according to the arithmetic logic of described executable code;
Judge whether described data characteristics meets the viral decision condition in described executable code;
If so, determine described file including virus to be checked.
B13. according to the client described in B12, wherein, killing device also comprises:
Virus treated module, is configured to the option of operation that output is processed virus, and according to the operation of described option of operation is processed described file to be checked.
B14. according to the client described in any one in B11 to B13, described acquisition module is also configured to:
Receive and by user, the selection of file type or file storage directory is operated;
Extraction belongs to the file under described file type or described file storage directory.
B15. according to the client described in any one in B11 to B14, wherein, described identification module is also configured to;
Extract the suffix filename of described file to be checked;
Determine the file layout of described file to be checked according to described suffix filename.
B16. according to the client described in any one in B9 to B15, also comprise:
Storer, is configured to described executable code to be saved in local virus library.
The embodiment of the present invention also provides C17. checking and killing virus method, comprising:
Generate file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of described instruction is written as to checking and killing virus script;
Issue described checking and killing virus script to checking and killing virus client, the executable code that described checking and killing virus script compile is become to mate with described checking and killing virus client place hardware platform for described checking and killing virus client, and call described executable code described file to be checked is carried out to checking and killing virus.
C18. according to the method described in C17, wherein, after being written as to checking and killing virus script, the set of described instruction also comprises:
Described checking and killing virus script is debugged to checking.
C19. according to the method described in C17 or C18, wherein, before generating according to virus characteristic the instruction of file to be checked being carried out to virus characteristic coupling, also comprise:
Obtain virus document sample;
From described virus document sample, extract described virus characteristic.
The embodiment of the present invention also provides D20. checking and killing virus server, comprising:
Script generation module, is configured to generate file to be checked is carried out to the instruction of virus characteristic coupling according to virus characteristic, and the set of described instruction is written as to checking and killing virus script;
Script issues module, be configured to issue described checking and killing virus script to checking and killing virus client, the executable code that described checking and killing virus script compile is become to mate with described checking and killing virus client place hardware platform for described checking and killing virus client, and call described executable code described file to be checked is carried out to checking and killing virus.
D21. according to the server described in D20, also comprise:
Debugging module, is configured to described checking and killing virus script to debug checking.
D22. according to the server described in D20 or D21, also comprise:
Virus characteristic extraction module, is configured to obtain virus document sample, and extracts described virus characteristic from described virus document sample.
The embodiment of the present invention also provides E23. checking and killing virus system, comprising:
According to the checking and killing virus client described in any one in B9 to B15;
According to the checking and killing virus server described in any one in D20 to D22.