CN104680066A - Method and device used for preventing misjudgment of antivirus software - Google Patents
Method and device used for preventing misjudgment of antivirus software Download PDFInfo
- Publication number
- CN104680066A CN104680066A CN201510038900.XA CN201510038900A CN104680066A CN 104680066 A CN104680066 A CN 104680066A CN 201510038900 A CN201510038900 A CN 201510038900A CN 104680066 A CN104680066 A CN 104680066A
- Authority
- CN
- China
- Prior art keywords
- file
- data block
- text
- specified format
- assigned address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a method and a device used for preventing misjudgment of antivirus software. The method includes: extracting data blocks at specified positions of a specified-format file; determining that the specified-format file is a white file when the data blocks at the specified positions of the specified-format file are all recognized to be data blocks of a white file according to Hash values of the data blocks; filtering the white file. Whether a file is a white file or not is recognized according to Hash values of data blocks at specified positions of the file, and recognition is not realized according to signature of full text of the file, so that one-to-multiple correspondence between the while file in a white list library and to-be-processed files is realized, more white files can be marked in unit storage space, a terminal can store more white files locally, and misjudgment rate is lowered efficiently and quickly in the antivirus process in an offline or intranet state.
Description
Technical field
The present invention relates to computer realm, particularly relate to a kind of method for the anti-erroneous judgement of antivirus software and device.
Background technology
The recall rate of virus document and the False Rate of text of an annotated book part pass judgment on two main standard of antivirus software implementation effect quality.Wherein, for the anti-erroneous judgement problem of text of an annotated book part, the anti-erroneous judgement means that prior art adopts mainly comprise the following two kinds:
1, use the white list list in high in the clouds to carry out networking to filter;
Networking filtering technique is carried out in the white list list in this use high in the clouds, needs user to keep networking state, cannot work under suspension or interior net state, causes user cannot use under suspension or interior net state.
2, local white list list is used to carry out from net filtration.
The white list list of this use this locality is carried out from net filtration technology, this filtering technique adopts certifying digital signature, and signature and text of an annotated book part one_to_one corresponding, PC is then needed to store a large amount of text of an annotated book part lists, due to the limited storage space of PC, the signature of a large amount of text of an annotated book parts can not be stored, cause the False Rate that effectively cannot reduce text of an annotated book part.
Summary of the invention
One of technical matters that the present invention solves is to provide method for the anti-erroneous judgement of antivirus software and device, realizes fast, accurately and effectively under net state, reducing the text of an annotated book part False Rate of antivirus software.
An embodiment according to an aspect of the present invention, provides a kind of method for the anti-erroneous judgement of antivirus software, comprising:
Extract the data block of the assigned address of specified format file;
The data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is text of an annotated book part;
Filter out described text of an annotated book part.
Alternatively, before extracting the data block of the assigned address of specified format file, described method also comprises:
Filter out the file of the non-designated form of not easily infected virus.
Alternatively, the file of described specified format comprises:
The file of transplantable executable file PE form.
Alternatively, the data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is that the method for text of an annotated book part comprises:
Same hash function is used to calculate the cryptographic hash of the data block of described assigned address;
Described cryptographic hash is mapped in bit array corresponding to white list storehouse;
If value corresponding to the position mapped is predetermined value entirely, determines that the data block of the described assigned address of described specified format file is the data block of text of an annotated book part, and then determine that described specified format file is text of an annotated book part.
Alternatively, described assigned address comprises:
Easily by position that virus is revised in specified format file.
Alternatively, described assigned address specifically comprise following at least one:
Dos head, Nt head, joint table, importing function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
Alternatively, described method also comprises:
Resolve the digital signature of specified format file;
Filter out the effective file of digital signature.
An embodiment according to a further aspect of the invention, provides a kind of device for the anti-erroneous judgement of antivirus software, wherein, comprising:
For extracting the unit of the data block of the assigned address of specified format file;
Data block for the described assigned address identifying described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is the unit of text of an annotated book part;
For filtering out the unit of described text of an annotated book part.
Alternatively, described device also comprises:
For before the data block of assigned address extracting specified format file, filter out the unit of the file of the non-designated form of not easily infected virus.
Alternatively, the file of described specified format comprises:
The file of transplantable executable file PE form.
Alternatively, the data block for the described assigned address identifying described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is that the unit of text of an annotated book part comprises:
For the subelement using same hash function to calculate the cryptographic hash of the data block of described assigned address;
For described cryptographic hash being mapped to the subelement in bit array corresponding to white list storehouse;
Under being full predetermined value situation for the value corresponding in mapped position, determining that the data block of the described assigned address of described specified format file is the data block of text of an annotated book part, and then determine that described specified format file is the subelement of text of an annotated book part.
Alternatively, described assigned address comprises:
Easily by position that virus is revised in specified format file.
Alternatively, described assigned address specifically comprise following at least one:
Dos head, Nt head, joint table, importing function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
Alternatively, described device also comprises:
For resolving the unit of the digital signature of specified format file;
For filtering out the unit of the effective file of digital signature.
The present invention identifies that whether the data block of file assigned address is the data block of text of an annotated book part due to the cryptographic hash of the data block according to file assigned address, thus determine whether file is text of an annotated book part, and do not need the signature of the full text according to file to identify, achieve the corresponding relation of text of an annotated book part and pending file one-to-many in white list storehouse, make in unit storage space, to mark more text of an annotated book part, therefore terminal local can store more text of an annotated book part, realizes reducing False Rate effectively and rapidly in virus killing process under off-line or interior net state.
Those of ordinary skill in the art will understand, although detailed description is below carried out with reference to illustrated embodiment, accompanying drawing, the present invention is not limited in these embodiments.But scope of the present invention is widely, and be intended to limit scope of the present invention by means of only accompanying claim.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, other features, objects and advantages of the present invention will become more obvious:
Fig. 1 is according to an embodiment of the invention for the process flow diagram of the method for the anti-erroneous judgement of antivirus software.
Fig. 2 is the process flow diagram identifying the method whether data block of assigned address is modified according to an embodiment of the invention.
Fig. 3 is in accordance with another embodiment of the present invention for the process flow diagram of the method for the anti-erroneous judgement of antivirus software.
Fig. 4 is according to an embodiment of the invention for the structural representation of the device of the anti-erroneous judgement of antivirus software.
Fig. 5 is the structural representation of text of an annotated book part recognition unit according to an embodiment of the invention.
Fig. 6 is in accordance with another embodiment of the present invention for the structural representation of the device of the anti-erroneous judgement of antivirus software.
In accompanying drawing, same or analogous Reference numeral represents same or analogous parts.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
Fig. 1 is according to an embodiment of the invention for the process flow diagram of the method for the anti-erroneous judgement of antivirus software.Method in the present invention has been come mainly through the operating system in computer equipment or processing controller.Operating system or processing controller are called the device for the anti-erroneous judgement of antivirus software.This computer equipment include but not limited to following at least one: subscriber equipment, the network equipment.Subscriber equipment includes but not limited to computing machine, smart mobile phone, PDA etc.The network equipment includes but not limited to the server group that single network server, multiple webserver form or the cloud be made up of a large amount of computing machine or the webserver based on cloud computing, wherein, cloud computing is the one of Distributed Calculation, the super virtual machine be made up of a group loosely-coupled computing machine collection.
As shown in fig. 1, this method being used for the anti-erroneous judgement of antivirus software mainly comprises the steps:
The data block of the assigned address of S 100, extraction specified format file;
S110, the data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block are the data block of text of an annotated book part, then determine that described specified format file is text of an annotated book part;
S120, filter out described text of an annotated book part.
Below above steps is described in further detail.
First it should be noted that, before the method described in the embodiment of the present application can be applicable to antivirus software execution Viral diagnosis, in virus detection procedure or after Viral diagnosis, virus document is reported to the arbitrary process before user.If before being wherein applied to Viral diagnosis or in virus detection procedure, then the execution obj ect file of the method is the file to be detected before virus scan; If after being applied to Viral diagnosis, then the execution obj ect file of the method is the virus document that antivirus software detects.For convenience of description, the execution obj ect file of the method is referred to as pending file by the application's following examples.
Specified format file described in the present embodiment comprises: the file of PE (Portable Executable, transplantable executable file) form.The file of this PE form includes but not limited to: the file of the forms such as EXE, DLL, OCX, SYS.
In addition, it should be noted that, the assigned address described in the embodiment of the present application comprises: easily by position that virus is revised in specified format file.Such as, the Dos head of PE file and Nt head, PE file entrance, import function etc. position.
The data block of the assigned address of specified format file is extracted in step S100, be understandable that, the quantity of described assigned address is more, then follow-uply determine that whether file is that the accuracy of text of an annotated book part is higher, and wherein this assigned address of a kind of embodiment can comprise following multiple:
Dos head and Nt head, joint table, import function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
Certainly the quantity of this assigned address also can be less than or more than above-mentioned assigned address.
Wherein, for each assigned address, its mode obtaining data block includes but not limited to: the data block obtaining each assigned address specified length or prescribed level, such as, obtain the data block of 512 bytes for each assigned address, or the size of data block that each assigned address obtains also can be different.
The data block of step S110 whether be the data block of assigned address for identifying described specified format file be text of an annotated book part, if be the data block of text of an annotated book part, can determine that this specified format file is text of an annotated book part.
Text of an annotated book part described in the embodiment of the present application is the normal file of uninfecting virus.
Wherein, the data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block that the embodiment of the present application provides is the data block method of text of an annotated book part as shown in Figure 2, and it specifically comprises following sub-step:
Sub-step 20, same hash function is used to calculate the cryptographic hash of the data block of described assigned address;
Such as, the assigned address of the PE file of extraction is 10 positions, comprising: Dos head and Nt head, joint table, import function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.Then use same hash function to calculate the cryptographic hash of the data block that these 10 positions are extracted, obtain 10 cryptographic hash.
Sub-step 21, described cryptographic hash is mapped in bit array corresponding to white list storehouse;
White list storehouse described in the embodiment of the present application is the database comprising all text of an annotated book parts, wherein can for text of an annotated book part lab setting one Bloom filter, such as, functional blocks for the assigned address of each text of an annotated book part in white list storehouse adopts same hash function (this hash function is identical with using hash function in sub-step 20) to calculate cryptographic hash, cryptographic hash is mapped in the bit array of Bloom filter, namely according to cryptographic hash, the relevant position of Bloom filter bit array is worth for predetermined value, as being set to 1, if wherein a position is repeatedly set to 1, then only first time is effective.Then terminal local can only preserve Bloom filter corresponding to white list storehouse, effectively can save terminal storage space, makes it off-line execution virus killing can detect operation.
Described cryptographic hash being mapped in bit array corresponding to white list storehouse then described in this step, is: the cryptographic hash of the data block of the assigned address calculated in sub-step 20 be mapped in the bit array of Bloom filter corresponding to white list storehouse.
Such as, for 10 cryptographic hash obtained above, be mapped in bit array corresponding to white list storehouse, judged whether whether the value of mapped position is entirely as predetermined value, such as, be set to 1 entirely.
If value corresponding to the position that sub-step 22 maps is 1 entirely, then determines that the data block of the assigned address of described specified format file is the data block of text of an annotated book part, determine that described specified format file is text of an annotated book part.
If value corresponding to the position mapped is predetermined value entirely, such as, is 1 entirely, illustrates that the data block of the assigned address of this pending file is the data block of text of an annotated book part, also just illustrate that this pending file is the text of an annotated book part in white list storehouse, its uninfecting virus.
If value non-fully corresponding to the position that sub-step 23 maps is 1, then determine that the data block of the assigned address of described specified format file is not all white file data blocks, then this specified format file can not be confirmed to be text of an annotated book part.
Step S120, be that the text of an annotated book part identified in step S110 is filtered out.
In prior art, whether detect file according to the signature of whole file or cryptographic hash consistent with the file in white list storehouse, if any portion in whole file is modified, such as, version number is modified, so its signature will be different, then the information that the file needing to preserve all different editions in white list storehouse is corresponding, and the file namely in white list storehouse and pending file are man-to-man relations.
Because the assigned address in the embodiment of the present application is easily by position that virus is revised, and do not comprise position corresponding to the information such as such as version number, therefore, a text of an annotated book part in white list storehouse can the pending file of corresponding multiple different editions, the present embodiment only illustrates with version number, the corresponding relation of the text of an annotated book part in white list storehouse and the one-to-many of pending file, can compare traditional local white list mechanism and mark more text of an annotated book part in unit storage space, and unit storage space can filter more file.
In addition, because storage efficiency improves, it can reach 1/8 of traditional white list storehouse, therefore, this white list stock can be stored in client, effectively reduces the False Rate of Viral diagnosis under realizing off-line state.
Meanwhile, need the full text compute signature for file or cryptographic hash compared to existing technology, the embodiment of the present application, by means of only the cryptographic hash of the data block of calculating assigned address, greatly reduces the I/O of file, improves computing velocity.
The present invention identifies that whether the data block of assigned address is the data block of text of an annotated book part due to the cryptographic hash of the data block according to file assigned address, thus determine whether file is text of an annotated book part, and do not need the signature of the full text according to file to identify, achieve the corresponding relation of text of an annotated book part and pending file one-to-many in white list storehouse, make in unit storage space, to mark more text of an annotated book part, therefore terminal local can store more text of an annotated book part, realizes reducing False Rate effectively and rapidly in virus killing process under off-line or interior net state.
The method for the anti-erroneous judgement of antivirus software of another embodiment of the application as shown in Figure 3, specifically comprises following operation:
S300, filter out the text of an annotated book part of the non-PE form of not easily infected virus;
The digital signature of S310, parsing specified format file;
S320, filter out the effective file of digital signature;
The data block of the assigned address of S330, extraction specified format file;
S340, the data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block are the data block of text of an annotated book part, then determine that described specified format file is text of an annotated book part;
S350, filter out described text of an annotated book part.
Below above steps is described in further detail.
First it should be noted that, before the method described in the embodiment of the present application can be applicable to antivirus software execution Viral diagnosis, in virus detection procedure or after Viral diagnosis, virus document is reported to the arbitrary process before user.If before being wherein applied to Viral diagnosis or in virus detection procedure, then the execution obj ect file of the method is the file to be detected before virus scan; If after being applied to Viral diagnosis, then the execution obj ect file of the method is the virus document that antivirus software detects.For convenience of description, the execution obj ect file of the method is referred to as pending file by the application's following examples.
Specified format file described in the present embodiment comprises: the file of PE (Portable Executable, transplantable executable file) form.The file of this PE form includes but not limited to: the file of the forms such as EXE, DLL, OCX, SYS.
File due to PE form is the file of easy infected virus, therefore, the embodiment of the present application using the file of non-PE form as text of an annotated book part.For alleviating the workload of the operations such as subsequent calculations, the embodiment of the present application, before execution step S310, filters out the text of an annotated book part of the non-PE form of not easily infected virus.
Wherein for the method for the file layout of the pending file of identification, the embodiment of the present application does not do concrete restriction, such as, can identify according to the extension name of pending file, or carry out identifying etc. according to the content of pending file.
In addition, it should be noted that, the assigned address described in the embodiment of the present application comprises: easily by position that virus is revised in specified format file.Such as, the Dos head of PE file and Nt head, PE file entrance, import function etc. position.
The present embodiment extracts the data block of the assigned address of specified format file, and wherein, the accuracy of the quantity of described assigned address follow-up identification text of an annotated book part is higher, and this assigned address of a kind of embodiment can comprise following multiple:
Dos head and Nt head, joint table, import function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
Certainly, in practical application, the quantity of this assigned address and physical location also can be different from above-mentioned, can greater or less than above-mentioned assigned address.
Wherein, for each assigned address, its mode obtaining data block includes but not limited to: the data block obtaining each assigned address specified length or prescribed level, such as, obtain the data block of 512 bytes for each assigned address, or the size of data block that each assigned address obtains also can be different.
Step S310 and S320 is the accuracy in order to improve anti-erroneous judgement further, by verifying that the digital signature of pending file identifies text of an annotated book part, for the file of PE form, resolve the digital signature of the file of this PE form, text of an annotated book part thought by the effective PE file of digital signature, filters out the effective file of this digital signature.Wherein judge that digital signature effective method comprises following at least one:
One) verify that whether the signature of pending file is correct;
Such as, by the summary in the pending file signature of the public key decryptions of asymmetric encryption, and with the summary comparison in pending file, if unanimously, then represent that signature is correct.
Two) verify whether the publisher carried in the signature of pending file is validated user.
Such as, this pending file distribution person's information is carried in the signature of pending file, the information of legal publisher is preserved in white list storehouse, if the publisher carried in the signature of pending file is the publisher in white list storehouse, then determine that this publisher is for validated user, can determine that the digital signature of this pending file is effective.
Step S340 is the data block that the data block of described assigned address for identifying described specified format file according to the cryptographic hash of described data block is text of an annotated book part, thus judges that this specified format file is text of an annotated book part.Concrete recognition methods, with reference to the description in the embodiment above of accompanying drawing 2 and correspondence, repeats no more herein.
Step S350 filters out the described text of an annotated book part that step S340 identifies.
Whole flow process can be divided into three filter operations by the present embodiment, and wherein step S300 is first filter operation, and step S310 ~ S320 is second filter operation, and step S330 ~ S350 is the 3rd filter operation.Herein, it should be noted that, first filter operation needs to perform before the 3rd filter operation, and without the restriction performing sequencing between second filter operation and first and the 3rd filter operation, it can perform before or after first filter operation, also can perform before or after the 3rd filter operation.
In prior art, whether detect file according to the signature of whole file or cryptographic hash consistent with the file in white list storehouse, if any portion in whole file is modified, such as, version number is modified, so its signature will be different, then the information that the file needing to preserve all different editions in white list storehouse is corresponding, and the file namely in white list storehouse and pending file are man-to-man relations.
Because the assigned address in the embodiment of the present application is easily by position that virus is revised, and do not comprise position corresponding to the information such as such as version number, therefore, a text of an annotated book part in white list storehouse can the pending file of corresponding multiple different editions, the present embodiment only illustrates with version number, the corresponding relation of the text of an annotated book part in white list storehouse and the one-to-many of pending file, can compare traditional local white list mechanism and mark more text of an annotated book part in unit storage space, and unit storage space can filter more file.
In addition, because storage efficiency improves, it can reach 1/8 of traditional white list storehouse, therefore, this white list stock can be stored in client, effectively reduces the False Rate of Viral diagnosis under realizing off-line state.
Meanwhile, need the full text compute signature for file or cryptographic hash compared to existing technology, the embodiment of the present application, by means of only the cryptographic hash of the data block of calculating assigned address, greatly reduces the I/O of file, improves computing velocity.
The present invention identifies that whether the data block of assigned address is the data block of text of an annotated book part due to the cryptographic hash of the data block according to file assigned address, thus determine whether file is the text of an annotated book part be not modified, and do not need the signature of the full text according to file to identify, achieve the corresponding relation of text of an annotated book part and pending file one-to-many in white list storehouse, make in unit storage space, to mark more text of an annotated book part, therefore terminal local can store more text of an annotated book part, realizes reducing False Rate effectively and rapidly in virus killing process under off-line or interior net state.
Based on the thinking that said method is same, the embodiment of the present application also provides a kind of device for the anti-erroneous judgement of antivirus software, and as shown in Figure 4, be the structural representation of described device, this device mainly comprises:
For extracting the unit 400 of the data block of the assigned address of specified format file, hereinafter referred to as data block extraction unit 400;
Data block for the described assigned address identifying described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is the unit 410 of text of an annotated book part, hereinafter referred to as text of an annotated book part recognition unit 410;
For filtering out the unit 420 of described text of an annotated book part, hereinafter referred to as white file filtering unit 420.
Device described in the embodiment of the present application can before antivirus software performs Viral diagnosis, in virus detection procedure or after Viral diagnosis, and the arbitrary process before user that is reported to by virus document performs anti-erroneous judgement operation.If before being wherein applied to Viral diagnosis or in virus detection procedure, then the execution obj ect file of this device is the file to be detected before virus scan; If after being applied to Viral diagnosis, then the execution obj ect file of this device is the virus document that antivirus software detects.
Specified format file described in the present embodiment comprises: the file of PE (Portable Executable, transplantable executable file) form.The file of this PE form includes but not limited to: the file of the forms such as EXE, DLL, OCX, SYS.
In addition, it should be noted that, the assigned address described in the embodiment of the present application comprises: easily by position that virus is revised in specified format file.Such as, the Dos head of PE file and Nt head, PE file entrance, import function etc. position.
This data block extraction unit 400 extracts the data block of the assigned address of specified format file, and wherein the quantity of this assigned address identifies that text of an annotated book part is more accurate more at most, and this assigned address of a kind of embodiment can comprise following multiple:
Dos head and Nt head, joint table, import function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
Wherein, for each assigned address, the mode that this data block extraction unit 400 obtains data block includes but not limited to: the data block obtaining each assigned address specified length or prescribed level, such as, obtain the data block of 512 bytes for each assigned address, or the size of data block that each assigned address obtains also can be different.
The data block of text of an annotated book part recognition unit 410 whether are data blocks for identifying assigned address be text of an annotated book part, if be the data block of text of an annotated book part, then this specified format file is text of an annotated book part.As shown in Figure 5, the text of an annotated book part recognition unit 410 of the embodiment of the present application can comprise following subelement further:
For the subelement 4101 using same hash function to calculate the cryptographic hash of the data block of described assigned address, hereinafter referred to as Hash calculation subelement 4101;
Such as, the assigned address of the PE file that data block extraction unit 400 extracts is 10 positions, comprising: Dos head, joint table, importing function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.Then Hash calculation subelement 4101 uses same hash function to calculate the cryptographic hash of the data block that these 10 positions are extracted, and obtains 10 cryptographic hash.
For described cryptographic hash being mapped to the subelement 4102 in bit array corresponding to white list storehouse, hereinafter referred to as mapping subelement 4102;
White list storehouse described in the embodiment of the present application is the database comprising all text of an annotated book parts, wherein can for text of an annotated book part lab setting one Bloom filter, such as, functional blocks for the assigned address of each text of an annotated book part in white list storehouse adopts same hash function (this hash function is identical with the hash function that Hash calculation subelement 4101 uses) to calculate cryptographic hash, cryptographic hash is mapped in the bit array of Bloom filter, namely according to cryptographic hash, the relevant position of Bloom filter bit array is worth for predetermined value, as being set to 1, if wherein a position is repeatedly set to 1, then only first time is effective.Then terminal local can only preserve Bloom filter corresponding to white list storehouse, effectively can save terminal storage space, makes it off-line execution virus killing can detect operation.
Described cryptographic hash is mapped in bit array corresponding to white list storehouse, is: the cryptographic hash of the data block of the assigned address calculated by Hash calculation subelement 4101 is mapped in the bit array of Bloom filter corresponding to white list storehouse.
Such as, for 10 cryptographic hash obtained above, be mapped in bit array corresponding to white list storehouse, judged whether whether the value of mapped position is entirely as predetermined value, such as, be set to 1 entirely.
Be predetermined value entirely for the value corresponding in mapped position, be such as in 1 situation entirely, then determine that the data block of the assigned address of described specified format file is the data block of text of an annotated book part, and then determine that described specified format file is the subelement 4103 of text of an annotated book part, hereinafter referred to as recognin unit 4103, this recognin unit 4103 judges whether the value mapping the position that subelement 4102 maps is predetermined value entirely, such as, be entirely set to 1.If value corresponding to the position mapped is predetermined value entirely, illustrates that the data block of the assigned address of this pending file is the data block of the text of an annotated book part be not modified, also just illustrate that this pending file is the text of an annotated book part in white list storehouse, its uninfecting virus.If value non-fully corresponding to the position mapped is predetermined value, then can not think that this pending file is text of an annotated book part.
Filter element 420 is filtered out by the text of an annotated book part that text of an annotated book part recognition unit 410 identifies.
In prior art, whether detect file according to the signature of whole file or cryptographic hash consistent with the file in white list storehouse, if any portion in whole file is modified, such as, version number is modified, so its signature will be different, then the information that the file needing to preserve all different editions in white list storehouse is corresponding, and the file namely in white list storehouse and pending file are man-to-man relations.
Because the assigned address in the embodiment of the present application is easily by position that virus is revised, and do not comprise position corresponding to the information such as version number, therefore, a text of an annotated book part in white list storehouse can the pending file of corresponding multiple different editions, the present embodiment only illustrates with version number, the corresponding relation of the text of an annotated book part in white list storehouse and the one-to-many of pending file, can compare traditional local white list mechanism and mark more text of an annotated book part in unit storage space, and unit storage space can filter more file.
In addition, because storage efficiency improves, it can reach 1/8 of traditional white list storehouse, therefore, this white list stock can be stored in client, effectively reduces the False Rate of Viral diagnosis under realizing off-line state.
Meanwhile, need the full text compute signature for file or cryptographic hash compared to existing technology, the embodiment of the present application, by means of only the cryptographic hash of the data block of calculating assigned address, greatly reduces the I/O of file, improves computing velocity.
Be another example structure schematic diagram of described device as shown in Figure 6, device described in the present embodiment also can comprise:
For before the data block of assigned address extracting specified format file, filter out the unit 430 of the file of the non-designated form of not easily infected virus, hereinafter referred to as specified format file filtering unit 430.File due to PE form is the file of easy infected virus, and therefore, the file of non-PE form as text of an annotated book part, is filtered out the text of an annotated book part of non-designated form by the embodiment of the present application by this specified format file filtering unit 430, to alleviate the calculated amount of this device.This specified format file filtering unit 430, before data block extraction unit 400 extracts the data block of the assigned address of specified format file, can filter out the text of an annotated book part of the non-PE form of not easily infected virus.Wherein for the method for the file layout of the pending file of identification, the embodiment of the present application does not do concrete restriction, such as, can identify according to the extension name of pending file, or carry out identifying etc. according to the content of pending file.
The embodiment of the present application is improve the accuracy of the anti-erroneous judgement of device further, and this device also can comprise further:
For resolving the unit 440 of the digital signature of specified format file, hereinafter referred to as digital signature authentication unit 440;
For filtering out the unit 450 of the effective file of digital signature, hereinafter referred to as significant figure signature filter element 450.
Wherein, after the file filtering out non-PE form, for the file of this PE form, can resolve the digital signature of the file of this PE form, text of an annotated book part thought by the effective PE file of digital signature, filters out the effective file of this digital signature.Wherein judge that digital signature effective method comprises following at least one:
One) verify that whether the signature of pending file is correct;
Such as, by the summary in the pending file signature of the public key decryptions of asymmetric encryption, and with the summary comparison in pending file, if unanimously, then represent that signature is correct.
Two) verify whether the publisher carried in the signature of pending file is validated user.
Such as, this pending file distribution person's information is carried in the signature of pending file, the information of legal publisher is preserved in white list storehouse, if the publisher carried in the signature of pending file is the publisher in white list storehouse, then determine that this publisher is for validated user, can determine that the digital signature of this pending file is effective.
Be understandable that, also can filter out the effective file of digital signature before the file filtering out PE form, then now the operand of digital signature authentication unit 440 also comprises the file of non-PE form.
The operation that this digital signature authentication unit 440 and significant figure signature filter element 450 are also filtered by digital signature identification text of an annotated book part can perform before above-mentioned text of an annotated book part extraction unit 400 operation, also can perform afterwards.
The present invention identifies that whether the data block of file assigned address is the data block of text of an annotated book part due to the cryptographic hash of the data block according to file assigned address, thus determine whether file is text of an annotated book part, and do not need the signature of the full text according to file to identify, achieve the corresponding relation of text of an annotated book part and pending file one-to-many in white list storehouse, make in unit storage space, to mark more text of an annotated book part, therefore terminal local can store more text of an annotated book part, realizes reducing False Rate effectively and rapidly in virus killing process under off-line or interior net state.
It should be noted that the present invention can be implemented in the assembly of software and/or software restraint, such as, special IC (ASIC), general object computing machine or any other similar hardware device can be adopted to realize.In one embodiment, software program of the present invention can perform to realize step mentioned above or function by processor.Similarly, software program of the present invention (comprising relevant data structure) can be stored in computer readable recording medium storing program for performing, such as, and RAM storer, magnetic or CD-ROM driver or flexible plastic disc and similar devices.In addition, steps more of the present invention or function can adopt hardware to realize, such as, as coordinating with processor thus performing the circuit of each step or function.
In addition, a part of the present invention can be applied to computer program, such as computer program instructions, when it is performed by computing machine, by the operation of this computing machine, can call or provide according to method of the present invention and/or technical scheme.And call the programmed instruction of method of the present invention, may be stored in fixing or moveable recording medium, and/or be transmitted by the data stream in broadcast or other signal bearing medias, and/or be stored in the working storage of the computer equipment run according to described programmed instruction.At this, comprise a device according to one embodiment of present invention, this device comprises the storer for storing computer program instructions and the processor for execution of program instructions, wherein, when this computer program instructions is performed by this processor, trigger this plant running based on the aforementioned method according to multiple embodiment of the present invention and/or technical scheme.
To those skilled in the art, obviously the invention is not restricted to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit of the present invention or essential characteristic, the present invention can be realized in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, scope of the present invention is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the present invention.Any Reference numeral in claim should be considered as the claim involved by limiting.In addition, obviously " comprising " one word do not get rid of other unit or step, odd number does not get rid of plural number.Multiple unit of stating in system claims or device also can be realized by software or hardware by a unit or device.First, second word such as grade is used for representing title, and does not represent any specific order.
Claims (14)
1. for a method for the anti-erroneous judgement of antivirus software, wherein, comprising:
Extract the data block of the assigned address of specified format file;
The data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is text of an annotated book part;
Filter out described text of an annotated book part.
2. method according to claim 1, wherein, before extracting the data block of the assigned address of specified format file, described method also comprises:
Filter out the file of the non-designated form of not easily infected virus.
3. method according to claim 1 and 2, wherein, the file of described specified format comprises:
The file of transplantable executable file PE form.
4. method according to claim 1, wherein, the data block identifying the described assigned address of described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is that the step of text of an annotated book part comprises:
Same hash function is used to calculate the cryptographic hash of the data block of described assigned address;
Described cryptographic hash is mapped in bit array corresponding to white list storehouse;
If value corresponding to the position mapped is predetermined value entirely, then determines that the data block of the described assigned address of described specified format file is the data block of text of an annotated book part, and then determine that described specified format file is text of an annotated book part.
5. method according to claim 1, wherein, described assigned address comprises:
Easily by position that virus is revised in specified format file.
6. method according to claim 5, wherein, described assigned address specifically comprise following at least one:
Dos head, Nt head, joint table, importing function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
7. method according to claim 1 and 2, wherein, described method also comprises:
Resolve the digital signature of specified format file;
Filter out the effective file of digital signature.
8. for a device for the anti-erroneous judgement of antivirus software, wherein, comprising:
For extracting the unit of the data block of the assigned address of specified format file;
Data block for the described assigned address identifying described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part, then determine that described specified format file is the unit of text of an annotated book part;
For filtering out the unit of described text of an annotated book part.
9. device according to claim 8, wherein, described device also comprises:
For before the data block of assigned address extracting specified format file, filter out the unit of the file of the non-designated form of not easily infected virus.
10. device according to claim 8 or claim 9, wherein, the file of described specified format comprises:
The file of transplantable executable file PE form.
11. devices according to claim 8, wherein, the unit that the data block for the described assigned address identifying described specified format file according to the cryptographic hash of described data block is the data block of text of an annotated book part comprises:
For the subelement using same hash function to calculate the cryptographic hash of the data block of described assigned address;
For described cryptographic hash being mapped to the subelement in bit array corresponding to white list storehouse;
Under being full predetermined value situation for the value corresponding in mapped position, determining that the data block of the described assigned address of described specified format file is the data block of text of an annotated book part, and then determine that described specified format file is the subelement of text of an annotated book part.
12. devices according to claim 8, wherein, described assigned address comprises:
Easily by position that virus is revised in specified format file.
13. devices according to claim 12, wherein, described assigned address specifically comprise following at least one:
Dos head and Nt head, joint table, import function, derivative function, resource, code segment, data segment, entrance, last joint, attachment data.
14. devices according to claim 8 or claim 9, wherein, described device also comprises:
For resolving the unit of the digital signature of specified format file;
For filtering out the unit of the effective file of digital signature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510038900.XA CN104680066A (en) | 2015-01-26 | 2015-01-26 | Method and device used for preventing misjudgment of antivirus software |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510038900.XA CN104680066A (en) | 2015-01-26 | 2015-01-26 | Method and device used for preventing misjudgment of antivirus software |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104680066A true CN104680066A (en) | 2015-06-03 |
Family
ID=53315096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510038900.XA Pending CN104680066A (en) | 2015-01-26 | 2015-01-26 | Method and device used for preventing misjudgment of antivirus software |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104680066A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682510A (en) * | 2016-09-06 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method and device for preventing virus manslaughter |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
| CN102930206A (en) * | 2011-08-09 | 2013-02-13 | 腾讯科技(深圳)有限公司 | Cluster partitioning processing method and cluster partitioning processing device for virus files |
| CN103390130A (en) * | 2013-07-18 | 2013-11-13 | 北京奇虎科技有限公司 | Rogue program searching and killing method and device based on cloud security as well as server |
| CN104239795A (en) * | 2014-09-16 | 2014-12-24 | 百度在线网络技术(北京)有限公司 | File scanning method and device |
-
2015
- 2015-01-26 CN CN201510038900.XA patent/CN104680066A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030074573A1 (en) * | 2001-10-15 | 2003-04-17 | Hursey Nell John | Malware scanning of compressed computer files |
| CN102930206A (en) * | 2011-08-09 | 2013-02-13 | 腾讯科技(深圳)有限公司 | Cluster partitioning processing method and cluster partitioning processing device for virus files |
| CN103390130A (en) * | 2013-07-18 | 2013-11-13 | 北京奇虎科技有限公司 | Rogue program searching and killing method and device based on cloud security as well as server |
| CN104239795A (en) * | 2014-09-16 | 2014-12-24 | 百度在线网络技术(北京)有限公司 | File scanning method and device |
Non-Patent Citations (1)
| Title |
|---|
| 傅建明,等: "《计算机病毒分析与对抗》", 30 April 2004 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682510A (en) * | 2016-09-06 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Method and device for preventing virus manslaughter |
| CN106682510B (en) * | 2016-09-06 | 2019-04-12 | 腾讯科技(深圳)有限公司 | A kind of method and device for preventing virus from manslaughtering |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11030311B1 (en) | Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise | |
| US11188650B2 (en) | Detection of malware using feature hashing | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| US10216848B2 (en) | Method and system for recommending cloud websites based on terminal access statistics | |
| CN107241296B (en) | Webshell detection method and device | |
| CN104700033A (en) | Virus detection method and virus detection device | |
| CN102307189B (en) | Malicious code detection method and network equipment | |
| CN108108127A (en) | A kind of file reading and system | |
| US10579798B2 (en) | Electronic device and method for detecting malicious file | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| US20200065074A1 (en) | Devices, systems, and methods of program identification, isolation, and profile attachment | |
| CN105653949A (en) | Malicious program detection method and device | |
| CN105488409A (en) | Method and system for detecting malicious code family variety and new family | |
| CN107135199B (en) | Method and device for detecting webpage backdoor | |
| CN101989322B (en) | Method and system for automatically extracting memory features of malicious code | |
| CN106911635B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN108920955B (en) | Webpage backdoor detection method, device, equipment and storage medium | |
| CN112579623A (en) | Method, device, storage medium and equipment for storing data | |
| CN106911636B (en) | Method and device for detecting whether backdoor program exists in website | |
| CN108985059B (en) | Webpage backdoor detection method, device, equipment and storage medium | |
| CN104680066A (en) | Method and device used for preventing misjudgment of antivirus software | |
| CN108334778B (en) | Virus detection method, device, storage medium and processor | |
| CN106446687B (en) | Malicious sample detection method and device | |
| CN104407994A (en) | Method and device for identifying storage equipment inserted into slots of computer | |
| EP2819054A1 (en) | Flexible fingerprint for detection of malware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150603 |