CN104376259A - Method and device for detecting viruses - Google Patents
Method and device for detecting viruses Download PDFInfo
- Publication number
- CN104376259A CN104376259A CN201410466149.9A CN201410466149A CN104376259A CN 104376259 A CN104376259 A CN 104376259A CN 201410466149 A CN201410466149 A CN 201410466149A CN 104376259 A CN104376259 A CN 104376259A
- Authority
- CN
- China
- Prior art keywords
- data
- content unit
- preset content
- viral
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The invention discloses a method and device for detecting viruses, and belongs to the technical field of computers. The method comprises the steps of obtaining data of a preset content unit from a target file, obtaining pre-stored virus data structure characteristics corresponding to the preset content unit, and reporting the target file as a virus file if the data of the preset content unit meet the virus data structure characteristics corresponding to the preset content unit. By means of the method and device, the virus recognition rate can be improved.
Description
Technical field
The present invention relates to field of computer technology, particularly a kind of method and apparatus detecting virus.
Background technology
Along with the development of Internet technology and computer technology, the use of computing machine and internet becomes more and more general.But computer software can exist leak, some people then can utilize these leaks to manufacture computer virus, to attack computing machine.In order to prevent the attack of virus to computing machine, technician investigated antivirus software for killing is viral in a computer.
Usually, antivirus software searches viral process can be as follows, choose data from the assigned address file to carry out mating with virus signature and judge, if the data chosen and virus signature match, then report that this file is virus document, if the data chosen are not mated with virus signature, then can judge that file is normal.
Realizing in process of the present invention, inventor finds that prior art at least exists following problem:
For above-mentioned method of searching virus, if viral developer makes a little amendment a little to virus signature, virus just can be prevented by antivirus software identification, thus, cause the discrimination of virus lower.
Summary of the invention
In order to solve the problem of prior art, embodiments provide a kind of method and apparatus detecting virus.Described technical scheme is as follows:
First aspect, provide a kind of method detecting virus, described method comprises:
In file destination, obtain the data of preset content unit;
The viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document.
Second aspect, provide a kind of device detecting virus, described device comprises:
First acquisition module, in file destination, obtains the data of preset content unit;
Second acquisition module, for obtaining viral data structure feature corresponding to the described preset content unit that prestores;
Detection module, if for described preset content unit data fit described in viral data structure feature corresponding to preset content unit, then report that described file destination is virus document.
The beneficial effect that the technical scheme that the embodiment of the present invention provides is brought is:
In the embodiment of the present invention, in file destination, obtain the data of preset content unit, the viral data structure feature that the preset content unit that acquisition prestores is corresponding, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.Like this, virus can be detected by the mode detected the architectural feature of file destination, if because virus is wanted to show effect, virus document must meet certain architectural feature, so, virus developer is in order to ensure the outbreak of virus, even if change virus signature, the architectural feature of virus document also can not change, thus the method for above-mentioned detection virus can improve the discrimination to virus.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is a kind of method flow diagram detecting virus that the embodiment of the present invention provides;
Fig. 2 is the structural representation of a kind of file that the embodiment of the present invention provides;
Fig. 3 is the structural representation of a kind of RECORD that the embodiment of the present invention provides;
Fig. 4 is a kind of apparatus structure schematic diagram detecting virus that the embodiment of the present invention provides;
Fig. 5 is the structural representation of a kind of terminal that the embodiment of the present invention provides.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Embodiment one
Embodiments provide a kind of method detecting virus, as shown in Figure 1, the treatment scheme of the method can comprise following step:
Step 101, in file destination, obtains the data of preset content unit.
Step 102, the viral data structure feature that this preset content unit that acquisition prestores is corresponding.
Step 103, if the viral data structure feature that this preset content unit of the data fit of this preset content unit is corresponding, then reports that this file destination is virus document.
In the embodiment of the present invention, in file destination, obtain the data of preset content unit, the viral data structure feature that the preset content unit that acquisition prestores is corresponding, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.Like this, virus can be detected by the mode detected the architectural feature of file destination, if because virus is wanted to show effect, virus document must meet certain architectural feature, so, virus developer is in order to ensure the outbreak of virus, even if change virus signature, the architectural feature of virus document also can not change, thus the method for above-mentioned detection virus can improve the discrimination to virus.
Embodiment two
Embodiments provide a kind of method detecting virus, the executive agent of the method can be terminal.Wherein, terminal can be computing machine, mobile phone, panel computer etc.
Below in conjunction with embodiment, be described in detail the treatment scheme shown in Fig. 1, content can be as follows:
Step 101, in file destination, obtains the data of preset content unit.
Wherein, content element can be for storing the storage unit of data in file.Preset content unit can be the content element relevant to shellcode (shell code), and shellcode is exactly the code of actual attack computer in virus document.Such as, content element can be arbitrary STREAM in XLS (EXtensible Stylesheet Language, Extensible Stylesheet Language (XSL)) formatted file or arbitrary RECORD.
In force, technician can analyze the thinking that viral developer designs virus document, with the file for certain form, determines which or which content element in file is preset content unit.Some content element in file, is easily elected to be the target arranging shellcode by viral developer, this kind of content element can be elected to be preset content unit.In addition, some content element in file, after other content element arranges shellcode, perhaps data structure may to be caused in it to change, and this kind of content element also can be elected to be preset content unit.When user wants to carry out Viral diagnosis to file destination, can install and be used for looking into viricidal application program, start this application program and Viral diagnosis is carried out to file destination, in the process of carrying out Viral diagnosis, can in a certain order in all the elements unit of file destination, search preset content unit, after finding certain preset content unit, the data in this preset content unit can be obtained further.
Alternatively, above-mentioned file destination can be the file of arbitrary format, for XLS form, the form of file destination can be XLS form, and preset content unit is the default RECORD (record) in WORKBOOK STREAM (book stream).
In force, as shown in Figure 2, the structure of the file of XLS form is made up of, as COMPOBJ STREAM, WORKBOOK STREAM etc. numerous STREAM, wherein store the real data of file in WORKBOOKSTREAM, wherein WORKBOOK STREAM is made up of multiple RECORD.In the file of XLS form, some RECORD can be utilized by viral developer and arrange shellcode, and corresponding RECORD can be set to RECORD (i.e. above-mentioned default RECORD) to be detected by technician.Or for some RECORD, after other RECORD arranges shellcode, perhaps data structure may to be caused in it to change, and this kind of RECORD also can be selected as RECORD to be detected.When user wants to carry out Viral diagnosis to the file of XLS form, above-mentioned application program can be started Viral diagnosis is carried out to the file of XLS form, in the process of carrying out Viral diagnosis, can in a certain order in all RECORD of the file of XLS form, search default RECORD, after finding certain default RECORD, the data in this default RECORD can be obtained further.
Step 102, the viral data structure feature that the preset content unit that acquisition prestores is corresponding.
Wherein, viral data structure feature is the architectural feature that the data in the content element of virus document have.
In force, technician is for a certain virus, can analyze its principle of work, determine in corresponding virus document by the content element that shellcode affects, as preset content unit, and determine the architectural feature of data in this preset content unit in order to impel needed for shellcode outbreak, as the viral data structure feature that this preset content unit is corresponding.And then the corresponding relation of preset content unit and viral data structure feature can be set, and store.The preset content unit that wherein each viral data structure feature is corresponding can be one or more content element, and each preset content unit can to there being one or more viral data structure feature.The corresponding relation of preset content unit and viral data structure feature can be as shown in table 1.In the process of carrying out Viral diagnosis, can in a certain order in all the elements unit of file destination, search preset content unit, after finding certain preset content unit, data wherein can be obtained, and in the corresponding relation of the preset content unit of above-mentioned storage and viral data structure feature, the viral data structure feature corresponding to this preset content unit can be searched.
Table 1
| Object content unit | Virus data structure feature |
| Content element a | Feature 1, feature 2 |
| Content element b, content element c | Feature 3 |
| Content element d | Feature 4, feature 5, feature 6 |
| Content element e | Feature 7 |
| Content element f | Feature 3, feature 5, feature 9, feature 13 |
Alternatively, different virus documents has different viral data structure features, so the kind of the viral data structure feature arranged can be varied, below provides several viral data structure feature:
Feature one, preset content unit, comprising: the first content unit that front and back are adjacent and the second content element; Virus data structure feature, comprising: to the data of predeterminated position in the data of first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of the second content element.
In force, for the file destination of XLS form, can resolve its RECORD when Viral diagnosis is carried out to the file destination of XLS form, as shown in Figure 3, wherein, RECORD can be made up of ID (Identity, identify label number), SIZE (size) and DATA (data) three part.For the leak that leak number is CVE-2011-0097, if file destination meets the following conditions just can judge that this file destination is as virus document: 1, there is the RECORD (i.e. first content unit) of ID as 0x7a, and be the RECORD (i.e. the second content element) of 0x3c immediately following ID after this RECORD; 2, parsing ID is the DATA in the RECORD of 0x7a, data are obtained by the assigned address of order * (PWORD) (DATA+1) in DATA, data D is taken out at its assigned address, the data of acquisition are calculated R=* (PWORD) (DATA+1) * 4+3 as follows as numerical value, obtains numerical value R; 3, the SIZE that ID is the RECORD of 0x3c is got, (SIZE+R) >2020.
Feature two, viral data structure feature can comprise: data volume exceeds the preset data amount upper limit of preset content unit.
In force, when certain file layout of design, to the data in the content element in the file of corresponding format, the regulation of architectural feature can be carried out, as to the content element setting data amount upper limit.Virus developer is arranged in the process of shellcode in virus document, may need to change the data volume of certain content element, the data volume upper limit that this data volume likely can be caused to exceed file layout specify.Therefore, the data volume of data in content element can be exceeded the preset data amount upper limit, as the foundation judging virus document.
Alternatively, certain preset content unit corresponding, multiple viral data structure feature can be set, virus is detected from different angles, the virus that wherein different viral data structure feature possibilities is corresponding dissimilar, correspondingly, the process of step 102 can be as follows: the multiple viral data structure feature that the preset content unit that acquisition prestores is corresponding.
In force, a corresponding multiple leak of preset content unit possibility, different viral developers may utilize different leaks to implant different shellcode, to realize respective object simultaneously.Like this, in different virus documents, the data in certain preset content unit, may have different architectural features, therefore, in order to more fully detect various virus, to should storing multiple viral data structure feature by preset content unit.
Step 103, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.
In force, after the viral data structure feature that the data obtaining preset content unit are corresponding with the preset content unit prestored, can judge whether these data meet this viral data structure feature, if the viral data structure feature that this preset content unit of this data fit is corresponding, the shellcode that may there is viral developer and implant then can be described in file destination, namely file destination is virus document, so, it is virus document that application program can eject this file of dialog box prompting user, virus killing button can be shown in dialog box, user can click this virus killing button, trigger application program and carry out virus killing process.
Alternatively, for the situation that viral data structure feature is above-mentioned feature one, correspondingly, the treatment scheme of step 103 can be as follows: if the data to predeterminated position in the data of first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, is greater than default value with the data volume sum of the data of the second content element, then reporting objectives file is virus document.
In force, for the situation that file destination is XLS file, in the process of each RECORD of traversal, if detect that adjacent ID be RECORD and ID of 0x7a is the RECORD of 0x3c, then can resolve ID is DATA in the RECORD of 0x7a, data are obtained by the assigned address of order * (PWORD) (DATA+1) in DATA, data D is taken out at its assigned address, the data of acquisition are calculated R=* (PWORD) (DATA+1) * 4+3 as follows as numerical value, obtain result value R, then the SIZE that ID is the RECORD of 0x3c is obtained, and judge whether SIZE+R is greater than 2020, if, then can determine that file destination meets viral data structure feature, that is, file destination is virus document, now, application program can carry out virus report.Otherwise, can follow-up matching judgment be carried out.
Alternatively, for the situation that viral data structure feature is above-mentioned feature two, correspondingly, the treatment scheme of step 103 can be as follows: if the data volume of the data of preset content unit exceeds the preset data amount upper limit of preset content unit, then reporting objectives file is virus document.
In force, open virus killing application program, in the preset data amount upper limit of the data obtaining preset content unit with the preset content unit prestored, can judge whether the data volume of the data of this preset content unit exceeds the preset data amount upper limit of this preset content unit.If the data volume of the data of the preset content unit of file destination does not exceed the preset data upper limit, illustrate that this file destination may be normal file.If the data volume of the data of the preset content unit of file destination exceeds the preset data amount upper limit, illustrate that this file destination is probably provided with shellcode.At this moment, application program can report that this file destination is virus document.
Alternatively, above-mentioned corresponding preset content unit is stored to the situation of multiple viral data structure feature, correspondingly, the treatment scheme of step 103 can be as follows: if any one the viral data structure feature in the multiple viral data structure feature of the data fit of preset content unit, then reporting objectives file is virus document.
In force, terminal is after getting the multiple viral data structure feature corresponding with this preset content unit of the data in preset content unit, these viral data structure features can be used in certain sequence one by one to carry out matching detection to these data, if the architectural feature these data being detected and wherein certain viral data structure characteristic matching, then can stop detecting, and reporter virus, if after traveling through these viral data structure features, the viral data structure feature with this Data Matching do not detected, then can determine that in corresponding content element, data are normal.
In the embodiment of the present invention, in file destination, obtain the data of preset content unit, the viral data structure feature that the preset content unit that acquisition prestores is corresponding, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.Like this, virus can be detected by the mode detected the architectural feature of file destination, if because virus is wanted to show effect, virus document must meet certain architectural feature, so, virus developer is in order to ensure the outbreak of virus, even if change virus signature, the architectural feature of virus document also can not change, thus the method for above-mentioned detection virus can improve the discrimination to virus.
Embodiment three
Based on identical technical conceive, the embodiment of the present invention additionally provides a kind of device detecting virus, and as shown in Figure 4, this device comprises:
First acquisition module 410, in file destination, obtains the data of preset content unit;
Second acquisition module 420, for obtaining viral data structure feature corresponding to the described preset content unit that prestores;
Detection module 430, if for described preset content unit data fit described in viral data structure feature corresponding to preset content unit, then report that described file destination is virus document.
Alternatively, described preset content unit, comprising: the first content unit that front and back are adjacent and the second content element; Described viral data structure feature, comprising: to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element;
Described detection module 430, for:
If to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element, then report that described file destination is virus document.
Alternatively, described viral data structure feature, comprising: data volume exceeds the preset data amount upper limit of described preset content unit;
Described detection module 430, for:
If the data volume of the data of described preset content unit exceeds the preset data amount upper limit of described preset content unit, then report that described file destination is virus document.
Alternatively, described second acquisition module, for:
The multiple viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
Described detection module 430, for:
If any one the viral data structure feature in multiple viral data structure feature described in the data fit of described preset content unit, then report that described file destination is virus document.
Alternatively, the form of described file destination is Extensible Stylesheet Language (XSL) XLS form, and described preset content unit is the default RECORD in WORKBOOK STREAM.
In the embodiment of the present invention, in file destination, obtain the data of preset content unit, the viral data structure feature that the preset content unit that acquisition prestores is corresponding, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.Like this, virus can be detected by the mode detected the architectural feature of file destination, if because virus is wanted to show effect, virus document must meet certain architectural feature, so, virus developer is in order to ensure the outbreak of virus, even if change virus signature, the architectural feature of virus document also can not change, thus the method for above-mentioned detection virus can improve the discrimination to virus.
It should be noted that: the device of the detection virus that above-described embodiment provides is when detecting virus, only be illustrated with the division of above-mentioned each functional module, in practical application, can distribute as required and by above-mentioned functions and be completed by different functional modules, inner structure by device is divided into different functional modules, to complete all or part of function described above.In addition, the device of the detection virus that above-described embodiment provides belongs to same design with the embodiment of the method detecting virus, and its specific implementation process refers to embodiment of the method, repeats no more here.
Embodiment four
Please refer to Fig. 5, it illustrates the structural representation of the terminal involved by the embodiment of the present invention, this terminal may be used for the method implementing the detection virus provided in above-described embodiment.Specifically:
Terminal 900 can comprise RF (Radio Frequency, radio frequency) circuit 110, the storer 120 including one or more computer-readable recording mediums, input block 130, display unit 140, sensor 150, voicefrequency circuit 160, WiFi (wireless fidelity, Wireless Fidelity) module 170, include the parts such as processor 180 and power supply 190 that more than or processes core.It will be understood by those skilled in the art that the restriction of the not structure paired terminal of the terminal structure shown in Fig. 5, the parts more more or less than diagram can be comprised, or combine some parts, or different parts are arranged.Wherein:
RF circuit 110 can be used for receiving and sending messages or in communication process, the reception of signal and transmission, especially, after being received by the downlink information of base station, transfer to more than one or one processor 180 to process; In addition, base station is sent to by relating to up data.Usually, RF circuit 110 includes but not limited to antenna, at least one amplifier, tuner, one or more oscillator, subscriber identity module (SIM) card, transceiver, coupling mechanism, LNA (Low Noise Amplifier, low noise amplifier), diplexer etc.In addition, RF circuit 110 can also by radio communication and network and other devices communicatings.Described radio communication can use arbitrary communication standard or agreement, include but not limited to GSM (Global System of Mobile communication, global system for mobile communications), GPRS (General Packet Radio Service, general packet radio service), CDMA (Code Division Multiple Access, CDMA), WCDMA (Wideband CodeDivision Multiple Access, Wideband Code Division Multiple Access (WCDMA)), LTE (Long Term Evolution, Long Term Evolution), Email, SMS (Short Messaging Service, Short Message Service) etc.
Storer 120 can be used for storing software program and module, and processor 180 is stored in software program and the module of storer 120 by running, thus performs the application of various function and data processing.Storer 120 mainly can comprise storage program district and store data field, and wherein, storage program district can store operating system, application program (such as sound-playing function, image player function etc.) etc. needed at least one function; Store data field and can store the data (such as voice data, phone directory etc.) etc. created according to the use of terminal 900.In addition, storer 120 can comprise high-speed random access memory, can also comprise nonvolatile memory, such as at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, storer 120 can also comprise Memory Controller, to provide the access of processor 180 and input block 130 pairs of storeies 120.
Input block 130 can be used for the numeral or the character information that receive input, and produces and to arrange with user and function controls relevant keyboard, mouse, control lever, optics or trace ball signal and inputs.Particularly, input block 130 can comprise Touch sensitive surface 131 and other input equipments 132.Touch sensitive surface 131, also referred to as touch display screen or Trackpad, user can be collected or neighbouring touch operation (such as user uses any applicable object or the operations of annex on Touch sensitive surface 131 or near Touch sensitive surface 131 such as finger, stylus) thereon, and drive corresponding coupling arrangement according to the formula preset.Optionally, Touch sensitive surface 131 can comprise touch detecting apparatus and touch controller two parts.Wherein, touch detecting apparatus detects the touch orientation of user, and detects the signal that touch operation brings, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, then gives processor 180, and the order that energy receiving processor 180 is sent also is performed.In addition, the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave can be adopted to realize Touch sensitive surface 131.Except Touch sensitive surface 131, input block 130 can also comprise other input equipments 132.Particularly, other input equipments 132 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, control lever etc.
Display unit 140 can be used for the various graphical user interface showing information or the information being supplied to user and the terminal 900 inputted by user, and these graphical user interface can be made up of figure, text, icon, video and its combination in any.Display unit 140 can comprise display panel 141, optionally, the form such as LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) can be adopted to configure display panel 141.Further, Touch sensitive surface 131 can cover display panel 141, when Touch sensitive surface 131 detects thereon or after neighbouring touch operation, send processor 180 to determine the type of touch event, on display panel 141, provide corresponding vision to export with preprocessor 180 according to the type of touch event.Although in Figure 5, Touch sensitive surface 131 and display panel 141 be as two independently parts realize input and input function, in certain embodiments, can by Touch sensitive surface 131 and display panel 141 integrated and realize input and output function.
Terminal 900 also can comprise at least one sensor 150, such as optical sensor, motion sensor and other sensors.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor the light and shade of environmentally light can regulate the brightness of display panel 141, proximity transducer when terminal 900 moves in one's ear, can cut out display panel 141 and/or backlight.As the one of motion sensor, Gravity accelerometer can detect the size of all directions (are generally three axles) acceleration, size and the direction of gravity can be detected time static, can be used for identifying the application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating) of mobile phone attitude, Vibration identification correlation function (such as passometer, knock) etc.; As for terminal 900 also other sensors such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor, do not repeat them here.
Voicefrequency circuit 160, loudspeaker 161, microphone 162 can provide the audio interface between user and terminal 900.Voicefrequency circuit 160 can by receive voice data conversion after electric signal, be transferred to loudspeaker 161, by loudspeaker 161 be converted to voice signal export; On the other hand, the voice signal of collection is converted to electric signal by microphone 162, voice data is converted to after being received by voicefrequency circuit 160, after again voice data output processor 180 being processed, through RF circuit 110 to send to such as another terminal, or export voice data to storer 120 to process further.Voicefrequency circuit 160 also may comprise earphone jack, to provide the communication of peripheral hardware earphone and terminal 900.
WiFi belongs to short range wireless transmission technology, and terminal 900 can help user to send and receive e-mail by WiFi module 170, browse webpage and access streaming video etc., and its broadband internet wireless for user provides is accessed.Although Fig. 5 shows WiFi module 170, be understandable that, it does not belong to must forming of terminal 900, can omit in the scope of essence not changing invention as required completely.
Processor 180 is control centers of terminal 900, utilize the various piece of various interface and the whole mobile phone of connection, software program in storer 120 and/or module is stored in by running or performing, and call the data be stored in storer 120, perform various function and the process data of terminal 900, thus integral monitoring is carried out to mobile phone.Optionally, processor 180 can comprise one or more process core; Preferably, processor 180 accessible site application processor and modem processor, wherein, application processor mainly processes operating system, user interface and application program etc., and modem processor mainly processes radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 180.
Terminal 900 also comprises the power supply 190 (such as battery) of powering to all parts, preferably, power supply can be connected with processor 180 logic by power-supply management system, thus realizes the functions such as management charging, electric discharge and power managed by power-supply management system.Power supply 190 can also comprise one or more direct current or AC power, recharging system, power failure detection circuit, power supply changeover device or the random component such as inverter, power supply status indicator.
Although not shown, terminal 900 can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, the display unit of terminal 900 is touch-screen displays, terminal 900 also includes storer, and one or more than one program, one of them or more than one program are stored in storer, and are configured to be performed by more than one or one processor state more than one or one routine package containing the instruction for carrying out following operation:
In file destination, obtain the data of preset content unit;
The viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document.
Alternatively, described preset content unit, comprising: the first content unit that front and back are adjacent and the second content element; Described viral data structure feature, comprising: to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element, then report that described file destination is virus document.
Alternatively, described viral data structure feature, comprising: data volume exceeds the preset data amount upper limit of described preset content unit;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If the data volume of the data of described preset content unit exceeds the preset data amount upper limit of described preset content unit, then report that described file destination is virus document.
Alternatively, the viral data structure feature that the described preset content unit that described acquisition prestores is corresponding, comprising:
The multiple viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If any one the viral data structure feature in multiple viral data structure feature described in the data fit of described preset content unit, then report that described file destination is virus document.
Alternatively, the form of described file destination is Extensible Stylesheet Language (XSL) XLS form, and described preset content unit is the default RECORD in WORKBOOK STREAM.
In the embodiment of the present invention, in file destination, obtain the data of preset content unit, the viral data structure feature that the preset content unit that acquisition prestores is corresponding, if the viral data structure feature that the data fit preset content unit of preset content unit is corresponding, then reporting objectives file is virus document.Like this, virus can be detected by the mode detected the architectural feature of file destination, if because virus is wanted to show effect, virus document must meet certain architectural feature, so, virus developer is in order to ensure the outbreak of virus, even if change virus signature, the architectural feature of virus document also can not change, thus the method for above-mentioned detection virus can improve the discrimination to virus.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be ROM (read-only memory), disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. detect a method for virus, it is characterized in that, described method comprises:
In file destination, obtain the data of preset content unit;
The viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document.
2. method according to claim 1, is characterized in that, described preset content unit, comprising: the first content unit that front and back are adjacent and the second content element; Described viral data structure feature, comprising: to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element, then report that described file destination is virus document.
3. method according to claim 1, is characterized in that, described viral data structure feature, comprising: data volume exceeds the preset data amount upper limit of described preset content unit;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If the data volume of the data of described preset content unit exceeds the preset data amount upper limit of described preset content unit, then report that described file destination is virus document.
4. method according to claim 1, is characterized in that, the viral data structure feature that the described preset content unit that described acquisition prestores is corresponding, comprising:
The multiple viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
If the viral data structure feature that preset content unit described in the data fit of described preset content unit is corresponding, then report that described file destination is virus document, comprising:
If any one the viral data structure feature in multiple viral data structure feature described in the data fit of described preset content unit, then report that described file destination is virus document.
5. method according to claim 1, is characterized in that, the form of described file destination is Extensible Stylesheet Language (XSL) XLS form, and described preset content unit is the default RECORD in WORKBOOK STREAM.
6. detect a device for virus, it is characterized in that, described device comprises:
First acquisition module, in file destination, obtains the data of preset content unit;
Second acquisition module, for obtaining viral data structure feature corresponding to the described preset content unit that prestores;
Detection module, if for described preset content unit data fit described in viral data structure feature corresponding to preset content unit, then report that described file destination is virus document.
7. device according to claim 6, is characterized in that, described preset content unit, comprising: the first content unit that front and back are adjacent and the second content element; Described viral data structure feature, comprising: to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element;
Described detection module, for:
If to the data of predeterminated position in the data of described first content unit, carry out the calculating of preset algorithm, the first numerical value obtained, be greater than default value with the data volume sum of the data of described second content element, then report that described file destination is virus document.
8. device according to claim 6, is characterized in that, described viral data structure feature, comprising: data volume exceeds the preset data amount upper limit of described preset content unit;
Described detection module, for:
If the data volume of the data of described preset content unit exceeds the preset data amount upper limit of described preset content unit, then report that described file destination is virus document.
9. device according to claim 6, is characterized in that, described second acquisition module, for:
The multiple viral data structure feature that the described preset content unit that acquisition prestores is corresponding;
Described detection module, for:
If any one the viral data structure feature in multiple viral data structure feature described in the data fit of described preset content unit, then report that described file destination is virus document.
10. device according to claim 6, is characterized in that, the form of described file destination is Extensible Stylesheet Language (XSL) XLS form, and described preset content unit is the default RECORD in WORKBOOK STREAM.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410466149.9A CN104376259B (en) | 2014-09-12 | 2014-09-12 | A kind of method and apparatus of detection virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410466149.9A CN104376259B (en) | 2014-09-12 | 2014-09-12 | A kind of method and apparatus of detection virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104376259A true CN104376259A (en) | 2015-02-25 |
| CN104376259B CN104376259B (en) | 2017-04-05 |
Family
ID=52555161
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410466149.9A Active CN104376259B (en) | 2014-09-12 | 2014-09-12 | A kind of method and apparatus of detection virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104376259B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603557A (en) * | 2016-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Trojan detection method and system based on configuration information structure |
| CN108108625A (en) * | 2017-12-29 | 2018-06-01 | 哈尔滨安天科技股份有限公司 | Overflow vulnerability detection method, system and storage medium based on form isomery |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079689A (en) * | 2006-05-26 | 2007-11-28 | 上海晨兴电子科技有限公司 | Method and device for virus scanning and processing of the data received by mobile phone |
| CN101632092A (en) * | 2006-11-13 | 2010-01-20 | 三星Sds株式会社 | Method for inferring maliciousness of email and detecting a virus pattern |
| CN103473163A (en) * | 2013-09-11 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Application program detection method and device |
-
2014
- 2014-09-12 CN CN201410466149.9A patent/CN104376259B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079689A (en) * | 2006-05-26 | 2007-11-28 | 上海晨兴电子科技有限公司 | Method and device for virus scanning and processing of the data received by mobile phone |
| CN101632092A (en) * | 2006-11-13 | 2010-01-20 | 三星Sds株式会社 | Method for inferring maliciousness of email and detecting a virus pattern |
| CN103473163A (en) * | 2013-09-11 | 2013-12-25 | 腾讯科技(深圳)有限公司 | Application program detection method and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603557A (en) * | 2016-12-30 | 2017-04-26 | 哈尔滨安天科技股份有限公司 | Trojan detection method and system based on configuration information structure |
| CN108108625A (en) * | 2017-12-29 | 2018-06-01 | 哈尔滨安天科技股份有限公司 | Overflow vulnerability detection method, system and storage medium based on form isomery |
| CN108108625B (en) * | 2017-12-29 | 2022-01-07 | 安天科技集团股份有限公司 | Method, system and storage medium for detecting overflow vulnerability based on format isomerism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104376259B (en) | 2017-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20140120840A1 (en) | Data transmission method and apparatus, and terminal with touch screen | |
| CN105005909A (en) | Method and device for predicting lost users | |
| CN105278937A (en) | Method and device for displaying pop-up box messages | |
| CN103942113A (en) | System restarting reason detection method, device and terminal equipment | |
| CN104636047A (en) | Method and device for operating objects in list and touch screen terminal | |
| CN104852885A (en) | Method, device and system for verifying verification code | |
| CN104135728B (en) | Method for connecting network and device | |
| CN104572430A (en) | Method, device and system for testing terminal application interface | |
| CN104281394A (en) | Method and device for intelligently selecting words | |
| CN105302452A (en) | Gesture interaction-based operation method and device | |
| CN104238893A (en) | Video preview image displaying method and device | |
| CN104850406A (en) | Page switching method and device | |
| CN104915091A (en) | Method and device for displaying status bar prompt message | |
| CN104636664A (en) | Cross-site scripting vulnerability detection method and device based on file object model | |
| CN104618223A (en) | Information recommendation management method, device and system | |
| CN105094501A (en) | Display method, device and system for messages in mobile terminal | |
| CN104965722A (en) | Method and apparatus for displaying information | |
| CN105530239A (en) | Multimedia data obtaining method and device | |
| CN104391629A (en) | Method for sending message in orientation manner, method for displaying message, server and terminal | |
| CN104391588B (en) | A kind of method of input prompt and device | |
| CN104731782A (en) | Information handling method and mobile terminal | |
| CN104239005A (en) | Graph alignment method and device | |
| CN105553718A (en) | Method and device for displaying guidance information | |
| CN105703808A (en) | Method and device for transmitting data | |
| CN105700801A (en) | Interface interception method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |