WO2017084557A1 - File scanning method and device - Google Patents

File scanning method and device Download PDF

Info

Publication number
WO2017084557A1
WO2017084557A1 PCT/CN2016/105906 CN2016105906W WO2017084557A1 WO 2017084557 A1 WO2017084557 A1 WO 2017084557A1 CN 2016105906 W CN2016105906 W CN 2016105906W WO 2017084557 A1 WO2017084557 A1 WO 2017084557A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
file
scan
scanning
incremental
Prior art date
Application number
PCT/CN2016/105906
Other languages
French (fr)
Chinese (zh)
Inventor
汤迪斌
王剑
Original Assignee
北京奇虎科技有限公司
北京奇安信科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 北京奇安信科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2017084557A1 publication Critical patent/WO2017084557A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a file scanning method and apparatus.
  • the current anti-virus software scanning virus generally adopts the method of full-disk scanning, that is, enumerating the files in the system to be scanned, for example, enumerating files from the root directory of the C-disk, and transmitting them one by one to the anti-virus engine behind, and multiple anti-viruses.
  • the engine gets a scan after scanning the virus.
  • This scanning method can effectively detect and kill viruses, but because it is used to enumerate files in the system, it is a waste of time and consumes system resources too much. Therefore, it is necessary to create an efficient and safe file scanning method. In the case of ensuring the security of the terminal, not only can the virus be accurately detected, but also the scanning time and system resources can be saved.
  • the present invention has been made in order to provide a document scanning method and corresponding apparatus that overcomes the above problems or at least partially solves the above problems.
  • a file scanning method for performing security scanning on a file in a terminal, wherein the terminal is provided with an incremental log, and when a file in the terminal is changed, the Add a log record to the incremental log, including:
  • the location of the scan-off log is found according to the incremental log, and the scan-off log is used as a starting point, and the file in the terminal is incrementally scanned according to the newly added partial log record in the incremental log.
  • a file scanning apparatus is further provided for performing security scanning on a file in a terminal, wherein the terminal is provided with an incremental log, and when a file in the terminal is changed, Adding a log record to the incremental log, the device includes:
  • a recording module configured to determine a last log record in the incremental log record corresponding to each scan operation, and record as a scan cutoff log
  • An input module adapted to receive a scan triggering operation for scanning a file in the terminal
  • An obtaining module configured to obtain, in the recording module, a scan cutoff log of a previous scan operation record
  • the scanning module searches for the location of the scan-off log according to the incremental log, and uses the scan-off log as a starting point to increment the file in the terminal according to the newly added partial log record in the incremental log. scanning.
  • a computer program comprising computer readable code that, when executed on a computing device, causes the computing device to perform a file scan as described above method.
  • a computer readable medium storing a computer program as described above is provided.
  • an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log.
  • the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log, and the terminal only needs to scan the newly added log portion after the cutoff log, so that the file can be safely scanned. Since the incremental log only adds some new logs to the original log, the previously existing logs are not The change occurs, so the present invention only scans the file increments, avoiding the full scan of all the incremental logs from beginning to end, especially in the case of a large number of files, the time spent on file scanning is obviously saved, and the effective improvement is effectively improved. The efficiency of file scanning saves system resources.
  • FIG. 1 is a flow chart showing a file scanning method according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a file scanning method according to another embodiment of the present invention.
  • FIG. 3 is a schematic flow chart of a file scanning method according to another embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a document scanning apparatus according to an embodiment of the present invention.
  • Figure 5 is a schematic block diagram showing a computing device for performing a file scanning method in accordance with the present invention.
  • Fig. 6 schematically shows a storage unit for holding or carrying program code implementing the document scanning method according to the present invention.
  • FIG. 1 shows a flow chart of a document scanning method according to an embodiment of the present invention.
  • the method includes at least steps S102 to S106.
  • Step S102 receiving a scan triggering operation for scanning a file in the terminal.
  • Step S104 Acquire a scan cutoff log of the previous scan operation record, where the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation.
  • the method of obtaining the scan-off log depends on the incremental log itself. If the incremental log uses the number of logs, the scan-off log is read and judged whether the read log entry is the last log record. By means of indexing, the last log record can be found and obtained by reading the index.
  • the scan cutoff log can be obtained by recording the index number of the scan cutoff log.
  • Step S106 Find the location of the scan-off log according to the incremental log, and use the scan-off log as a starting point to perform incremental scanning on the file in the terminal according to the newly added partial log record in the incremental log.
  • an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log.
  • the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log, and the terminal only needs to scan the newly added log portion after the cutoff log, so that the file can be safely scanned.
  • the incremental log only adds some new logs to the original log. Therefore, based on the original log, only the incremental part of the file is scanned for security, which can effectively avoid the entire disk from all the incremental logs. Scanning, especially in the case of a large number of files, significantly saves the time spent on file scanning, effectively improving the efficiency of file scanning.
  • FIG. 2 is a flow chart showing a file scanning method in a specific embodiment of the present invention. Referring to FIG. 2, the method includes at least steps S202 to S210.
  • Step S202 receiving a scan triggering operation for scanning a file in the terminal.
  • Step S204 When the incremental log is indexed by the number, the index number of the scan cutoff log is recorded, wherein the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation.
  • Step S206 finding a position corresponding to the index number of the scan-off log according to the digital index of the increment log.
  • Step S208 starting from the index number corresponding to the scan cutoff log, determining a file for the subsequent scan operation according to the index number corresponding to the newly added partial log record, wherein the file for the file includes the newly added file and/or the existing file. File changes.
  • the changes to the existing file include at least one of: changes to existing file content; changes to existing file attributes; changes to existing file feature parameters.
  • the changes of the existing file attributes do not necessarily need to be scanned, some maliciously modified attributes, such as an IE attribute, are maliciously modified, and the title bar above the IE browser is changed to the "welcome to visit ... website" style. It is included in the scope of the existing file attribute changes.
  • attributes For security-compliant file attribute changes, for example, attributes only involve text type modifications (such as word text type conversion to PDF text type) or attributes only involve changes in text modification time (eg 2015-11-10 changed to 2015-11- 13) These file attribute changes do not need to be scanned again.
  • Step S210 performing incremental scanning on the determined file.
  • an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log.
  • the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log.
  • the incremental log is indexed by the number, and the index number of the scan-off log is recorded.
  • the position corresponding to the index number of the scan-off log is found according to the digital index of the incremental log, and the index number of the scan-off log is used as the starting point, and the log is incremented according to the index.
  • the index number corresponding to the new part of the log is incrementally scanned for the files in the terminal.
  • the file for the subsequent scanning operation of the index number of the scan-off log is determined, the time for scanning all the files is omitted, and the time taken for the overall scan-increment log is further saved, and the scanning efficiency is greatly improved, and Reduce the processing of scanning information, reduce the possibility of scanning information errors, thereby increasing the stability of file scanning Sex.
  • FIG. 3 is a flow chart showing a file scanning method according to another embodiment of the present invention. Referring to FIG. 3, the method includes at least steps S302 to S306.
  • Step S302 Receive a scan trigger operation for scanning a file in the terminal.
  • Step S304 the terminal is divided into multiple areas, and the scan cutoff log of the previous scan operation record of each area is obtained, wherein the scan cutoff log is the last log record in the sub-increment log record corresponding to the previous file scan operation in each area.
  • the storage area of the terminal is divided into a C drive, a D drive, and an E drive. After receiving the scan trigger operation, the scan cutoff logs in the C drive, the D drive, and the E drive are simultaneously acquired.
  • Step S306 searching for the location of the scan-off log in each sub-increment log according to each sub-increment log, and starting from the scan-off log, and performing the file in the corresponding area of the terminal according to the newly added part of the log records in each sub-increment log. Incremental scanning.
  • the storage area of the terminal is divided into a C drive, a D drive, and an E drive.
  • the scan cutoff logs in the C drive, the D drive, and the E drive are simultaneously acquired.
  • the location of the corresponding scan cutoff log is found according to the incremental log in each disk, and the incremental portion of the incremental log in the C disk, the D disk, and the E disk is simultaneously scanned starting from the scan cutoff log in each disk.
  • the sub-increment log of the file change operation of the local area is set in each area, and the words in each area of the terminal are The sub-increment log allows simultaneous incremental scanning of files in each region. By scanning the terminal sub-area, each area does not affect each other, and multiple areas can perform sub-increment log incremental scanning in parallel, which greatly improves the efficiency of file scanning.
  • NTFS New Technology File System
  • USN update sequence number
  • NTFS is a recoverable file system.
  • NTFS partitions users rarely need to run disk repairs.
  • NTFS uses standard transaction logging and recovery techniques to ensure partition consistency.
  • NTFS automatically restores file system consistency using log files and checkpoint information. Therefore, the NTFS file system has good security and is suitable for virus scanning. More secure and reliable.
  • the NTFS file system provides a fault-tolerant structure log that can fully record the user's operations, further protecting the security of the system.
  • the USN file system is a function to record related information in the volume.
  • NTFS 5.0 When Microsoft released NTFS 5.0, it added some new features and improved the old version of the file system. It invited a reliable secretary. That is, the USN file system, which can set the number of files and directories that monitor changes in the partition, and record the modification time and modification contents of the monitoring object.
  • the USN file system uses the USN to record the modified time and identifies it as a log with a specific serial number, that is, USN. Log.
  • USN log does not record the specific modification content. Therefore, the USN log record file is small and easy to find. Therefore, USN logs can only work in the NTFS file system.
  • FIG. 1 refers to the schematic diagram of the file scanning method shown in FIG. 1, which can be applied to various environments such as virus scanning, spatial finishing scanning, and the like.
  • virus scanning if the virus database or the virus engine changes, the scan deadline log recorded in the previous scan is cleared, and the scan in the terminal is scanned due to the change of the virus database or the virus engine during the scan. The security of the previous file may be changed. Therefore, this scan requires a full scan of the files in the terminal to ensure that the virus can be completely and completely detected and prevented, and some files suspected of security are not checked. .
  • FIG. 4 is a block diagram showing the structure of a document scanning apparatus according to an embodiment of the present invention.
  • the apparatus may include at least the following modules: a recording module 410, an input module 420, an acquisition module 430, and a scanning module 440.
  • the recording module 410 is adapted to determine a last log record in the incremental log record corresponding to each scan operation, and record the scan log as a scan cutoff log;
  • the input module 420 is adapted to receive a scan triggering operation for scanning a file in the terminal;
  • the obtaining module 430 is coupled to the recording module 410 and the input module 420 respectively, and is adapted to obtain a scan cutoff log of the previous scan operation record into the recording module 410;
  • the scanning module 440 is coupled with the obtaining module 430, and finds the location of the scan-off log according to the incremental log, and uses the scan-off log as a starting point to perform incremental scanning on the file in the terminal according to the newly added partial log record in the incremental log.
  • the obtaining module 430 is further adapted to acquire an index number of a scan cutoff log recorded by the previous scan operation.
  • the scanning module 440 finds a location corresponding to the index number of the scan-off log based on the digital index of the increment log.
  • the scanning module 440 is further configured to: start with a scan cutoff log, and determine, according to the newly added partial log record, a file for which a subsequent scan operation is performed, where the file for the file includes the newly added file and / or changes to existing documents;
  • the scan trigger operation of the receiving terminal determines the last log record in the incremental log record corresponding to each scan operation, and records the scan as the scan cutoff log, starting from the scan cutoff log, according to the new
  • the partial log record determines the file for which the subsequent scan operation is directed, wherein the file for the change includes a new file and/or a change to the existing file.
  • Changes to existing documents include at least one of the following: changes to existing file content; changes to existing file attributes; changes to existing file feature parameters.
  • the recording module 410 is further adapted to, when the terminal is divided into a plurality of areas, perform a file scanning operation on each area, and set a sub-increment of the file changing operation of the recording area in each area.
  • the recording module 410 determines the last log record in the sub-increment log records in each area corresponding to each scan operation, and records it as a scan cutoff log.
  • the obtaining module 430 acquires the scan cutoff log of the previous scan operation record from the sub-increment log.
  • the scanning module 440 finds the location of the scan-off log according to the sub-increment log in each area, and uses the scan-off log as a starting point to perform incremental scanning on the file in the corresponding area of the terminal according to the newly added part of the log record in the sub-increment log. .
  • the sub-increment log of the file change operation of the local area is set in each area, and the words in each area of the terminal are The sub-increment log allows simultaneous incremental scanning of files in each region. By scanning the terminal sub-areas, each area does not affect each other, and multiple areas can simultaneously scan the sub-increment log increments, which greatly improves the efficiency of file scanning.
  • the log is incremented. Use the USN file system.
  • the file scanning device is adapted for virus scanning and/or spatial finishing scanning. If the file scanning device is used for virus scanning, the recording module 420 is further adapted to: when the file scanning device is applied to the virus scanning, if the virus database or the virus engine changes, the scanning deadline log recorded by the previous scanning is cleared, and the terminal is The incremental log in the scan is performed in a full scan to ensure thorough scanning and killing of the virus.
  • the embodiment of the present invention can achieve the following beneficial effects:
  • an incremental log is set in the terminal, and when a file is changed in the terminal, a log record is added to the incremental log.
  • the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log is searched, and the position of the scan cutoff log is found according to the incremental log, and the scan cutoff log is taken as the starting point, according to the incremental log.
  • the new part of the log record incrementally scans the files in the terminal.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the document scanning device in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 5 illustrates a computing device that can implement a file scanning method in accordance with the present invention.
  • the computing device conventionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520.
  • the memory 520 may be, for example, a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Electronic storage such as this.
  • Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above.
  • storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 531 ', ie, code readable by a processor, such as 510, that when executed by a computing device causes the computing device to perform each of the methods described above step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

A file scanning method and device. The method comprises: receiving a scanning trigger operation of a terminal (S102); acquiring a scanning ending log of a previous scanning operation record, wherein the scanning ending log is a last log record in an incremental log record corresponding to a previous file scanning operation (S104); and finding a position of the scanning ending log according to an incremental log, and performing increment scanning on a file in the terminal according to a log record of a newly-increased part in the incremental log by using the scanning ending log as a start point (S106). Through scanning the increment of a file, the scheme saves time wasted for unnecessary file full scanning, effectively increases the efficiency of file scanning, and meanwhile, saves space resources of a terminal system, thereby ensuring high efficiency and accuracy of file scanning.

Description

文件扫描方法及装置Document scanning method and device 技术领域Technical field
本发明涉及计算机技术领域,特别是涉及一种文件扫描方法及装置。The present invention relates to the field of computer technologies, and in particular, to a file scanning method and apparatus.
背景技术Background technique
随着计算机技术的不断发展,互联网的应用也越来越广泛,从而使人们的生活、学习和工作受到了很多有益的影响。但是在人们使用互联网的过程中,电子设备很容易受到病毒、恶意插件的侵害,设备一旦感染上病毒,很有可能导致系统中的一些重要文件的损坏、丢失,严重情况下还可能导致系统的瘫痪,从而给用户造成巨大的损失。为了避免电子设备受到病毒的侵害,保证用户可以的安全使用互联网,就需要经常查杀系统潜在的病毒,排除恶意软件对系统的干扰。With the continuous development of computer technology, the application of the Internet has become more and more extensive, which has made people's life, study and work have a lot of beneficial effects. However, in the process of people using the Internet, electronic devices are vulnerable to viruses and malicious plug-ins. Once a device is infected with a virus, it may cause damage or loss of some important files in the system. In severe cases, it may also cause systemic Oh, which causes huge losses to the user. In order to prevent electronic devices from being attacked by viruses and to ensure that users can use the Internet safely, it is necessary to frequently detect and kill potential viruses of the system and eliminate the interference of malware on the system.
目前的杀毒软件扫描病毒普遍采用全盘扫描的方式,即枚举待扫描系统中的文件,比如从C盘根目录枚举文件,枚举以后再一个一个的传送给后面的杀毒引擎,多个杀毒引擎在扫描病毒之后得出一个扫描结果。这种扫描方式可以有效地查杀出病毒,但是由于采用的方式为枚举系统中的文件,因此操作起来比较浪费时间,同时也过于消耗系统资源。因此,需要创造出一种高效安全的文件扫描方法,在保证终端使用安全的情况下,不仅可以精确地查杀病毒,还可以节约扫描时间和系统资源。The current anti-virus software scanning virus generally adopts the method of full-disk scanning, that is, enumerating the files in the system to be scanned, for example, enumerating files from the root directory of the C-disk, and transmitting them one by one to the anti-virus engine behind, and multiple anti-viruses. The engine gets a scan after scanning the virus. This scanning method can effectively detect and kill viruses, but because it is used to enumerate files in the system, it is a waste of time and consumes system resources too much. Therefore, it is necessary to create an efficient and safe file scanning method. In the case of ensuring the security of the terminal, not only can the virus be accurately detected, but also the scanning time and system resources can be saved.
发明内容Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的一种文件扫描方法和相应的装置。In view of the above problems, the present invention has been made in order to provide a document scanning method and corresponding apparatus that overcomes the above problems or at least partially solves the above problems.
根据本发明的一个方面,提供了一种文件扫描方法,用于对终端中的文件进行安全扫描,所述终端中设置有递增日志,当所述终端中的文件发生变更操作时,在所述递增日志中增加一条日志记录,所述方法包括: According to an aspect of the present invention, a file scanning method is provided for performing security scanning on a file in a terminal, wherein the terminal is provided with an incremental log, and when a file in the terminal is changed, the Add a log record to the incremental log, including:
接收对所述终端中的文件进行扫描的扫描触发操作;Receiving a scan triggering operation for scanning a file in the terminal;
获取前一次扫描操作记录的扫描截止日志,其中,所述扫描截止日志为前一次文件扫描操作所对应的递增日志记录中的最后一条日志记录;Obtaining a scan cutoff log of a previous scan operation record, where the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation;
根据所述递增日志查找到所述扫描截止日志的位置,并以所述扫描截止日志为起点,根据所述递增日志中的新增部分日志记录对所述终端中的文件进行增量扫描。The location of the scan-off log is found according to the incremental log, and the scan-off log is used as a starting point, and the file in the terminal is incrementally scanned according to the newly added partial log record in the incremental log.
根据本发明的另一个方面,还提供了一种文件扫描装置,用于对终端中的文件进行安全扫描,所述终端中设置有递增日志,当所述终端中的文件发生变更操作时,在所述递增日志中增加一条日志记录,所述装置包括:According to another aspect of the present invention, a file scanning apparatus is further provided for performing security scanning on a file in a terminal, wherein the terminal is provided with an incremental log, and when a file in the terminal is changed, Adding a log record to the incremental log, the device includes:
记录模块,适于确定每次扫描操作所对应的递增日志记录中的最后一条日志记录,并记录为扫描截止日志;a recording module, configured to determine a last log record in the incremental log record corresponding to each scan operation, and record as a scan cutoff log;
输入模块,适于接收对所述终端中的文件进行扫描的扫描触发操作;An input module adapted to receive a scan triggering operation for scanning a file in the terminal;
获取模块,适于到所述记录模块中获取前一次扫描操作记录的扫描截止日志;An obtaining module, configured to obtain, in the recording module, a scan cutoff log of a previous scan operation record;
扫描模块,根据所述递增日志查找到所述扫描截止日志的位置,并以所述扫描截止日志为起点,根据所述递增日志中的新增部分日志记录对所述终端中的文件进行增量扫描。The scanning module searches for the location of the scan-off log according to the incremental log, and uses the scan-off log as a starting point to increment the file in the terminal according to the newly added partial log record in the incremental log. scanning.
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行上述任一个所述的文件扫描方法。According to still another aspect of the present invention, a computer program is provided, comprising computer readable code that, when executed on a computing device, causes the computing device to perform a file scan as described above method.
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了如上所述的计算机程序。According to still another aspect of the present invention, a computer readable medium storing a computer program as described above is provided.
在本发明实施例中,终端中设置有递增日志,当终端中的文件发生变更操作时,则在递增日志中增加一条日志记录。当扫描触发时,获取前一次扫描操作所对应的递增日志中的最后一条日志记录,即扫描截止日志,终端只需扫描截止日志后面新增加的日志部分,就可以实现文件的安全扫描。由于递增日志只是在原有日志的基础上增加了部分新的日志,而之前存在的日志并没有 发生改变,所以本发明只进行文件增量的扫描,避免对所有的递增日志从头到尾的全盘扫描,尤其是在文件数量较大的情况下明显节约了文件扫描所花费的时间,有效的提高了文件扫描的效率,节约系统资源。In the embodiment of the present invention, an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log. When the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log, and the terminal only needs to scan the newly added log portion after the cutoff log, so that the file can be safely scanned. Since the incremental log only adds some new logs to the original log, the previously existing logs are not The change occurs, so the present invention only scans the file increments, avoiding the full scan of all the incremental logs from beginning to end, especially in the case of a large number of files, the time spent on file scanning is obviously saved, and the effective improvement is effectively improved. The efficiency of file scanning saves system resources.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solutions of the present invention, and the above-described and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1是根据本发明一个实施例的文件扫描方法的流程示意图;1 is a flow chart showing a file scanning method according to an embodiment of the present invention;
图2是根据本发明另一个实施例的文件扫描方法的流程示意图;2 is a schematic flow chart of a file scanning method according to another embodiment of the present invention;
图3是根据本发明另一个实施例的文件扫描方法的流程示意图;3 is a schematic flow chart of a file scanning method according to another embodiment of the present invention;
图4是根据本发明一个实施例的文件扫描装置的结构示意图;4 is a schematic structural diagram of a document scanning apparatus according to an embodiment of the present invention;
图5示意性地示出了用于执行根据本发明的文件扫描方法的计算设备的框图;以及Figure 5 is a schematic block diagram showing a computing device for performing a file scanning method in accordance with the present invention;
图6示意性地示出了用于保持或者携带实现根据本发明的文件扫描方法的程序代码的存储单元。Fig. 6 schematically shows a storage unit for holding or carrying program code implementing the document scanning method according to the present invention.
具体实施方式detailed description
下面结合附图和具体的实施方式对本发明作进一步的描述。The invention is further described below in conjunction with the drawings and specific embodiments.
为了解决上述技术问题,本发明实施例提供了一种文件扫描方法。图1示出了根据本发明一个实施例的文件扫描方法的流程示意 图。参见图1,该方法至少包括步骤S102至步骤S106。In order to solve the above technical problem, an embodiment of the present invention provides a file scanning method. FIG. 1 shows a flow chart of a document scanning method according to an embodiment of the present invention. Figure. Referring to FIG. 1, the method includes at least steps S102 to S106.
步骤S102,接收对终端中的文件进行扫描的扫描触发操作。Step S102, receiving a scan triggering operation for scanning a file in the terminal.
步骤S104,获取前一次扫描操作记录的扫描截止日志,其中,扫描截止日志为前一次文件扫描操作所对应的递增日志记录中的最后一条日志记录。Step S104: Acquire a scan cutoff log of the previous scan operation record, where the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation.
扫描截止日志的获取方式取决于递增日志本身,若递增日志采用日志条数罗列的方式,则扫描截止日志的获取需读取并判断所读取的日志条目是否为最后一条日志记录,若递增日志采用索引的方式,则可以通过索引的读取来实现最后一条日志记录的查找并获取。The method of obtaining the scan-off log depends on the incremental log itself. If the incremental log uses the number of logs, the scan-off log is read and judged whether the read log entry is the last log record. By means of indexing, the last log record can be found and obtained by reading the index.
在一个具体实施例中,若递增日志采用数字索引,获取前一次扫描操作记录的扫描截止日志,可以通过记录扫描截止日志的索引数字来获取扫描截止日志。采用记录扫描截止日志的索引数字的方式,相比较于直接获取扫描截止日志,一方面可以节约扫描递增日志所花费的时间,扫描效率大大提高,另一方面减少了扫描信息的处理过程,减少了扫描信息出错的可能性,增加了文件扫描的稳定性。In a specific embodiment, if the incremental log uses a digital index to obtain the scan cutoff log of the previous scan operation record, the scan cutoff log can be obtained by recording the index number of the scan cutoff log. By adopting the method of recording the index number of the scan cutoff log, compared with directly acquiring the scan cutoff log, on the one hand, the time taken for scanning the incremental log can be saved, the scanning efficiency is greatly improved, and on the other hand, the processing of the scan information is reduced, and the processing is reduced. The possibility of scanning information errors increases the stability of file scanning.
步骤S106,根据递增日志查找到扫描截止日志的位置,并以扫描截止日志为起点,根据递增日志中的新增部分日志记录对终端中的文件进行增量扫描。Step S106: Find the location of the scan-off log according to the incremental log, and use the scan-off log as a starting point to perform incremental scanning on the file in the terminal according to the newly added partial log record in the incremental log.
在本发明实施例中,终端中设置有递增日志,当终端中的文件发生变更操作时,在递增日志中增加一条日志记录。当扫描触发时,获取前一次扫描操作所对应的递增日志中的最后一条日志记录,即扫描截止日志,终端只需扫描截止日志后面新增加的日志部分,就可以实现文件的安全扫描。递增日志只是在原有日志的基础上增加了部分新的日志,所以在原有日志不变的基础上,只对文件增量部分进行安全扫描,可以有效的避免对所有的递增日志从头到尾的全盘扫描,尤其是在文件数量较大的情况下明显节约了文件扫描所花费的时间,有效的提高了文件扫描的效率。In the embodiment of the present invention, an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log. When the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log, and the terminal only needs to scan the newly added log portion after the cutoff log, so that the file can be safely scanned. The incremental log only adds some new logs to the original log. Therefore, based on the original log, only the incremental part of the file is scanned for security, which can effectively avoid the entire disk from all the incremental logs. Scanning, especially in the case of a large number of files, significantly saves the time spent on file scanning, effectively improving the efficiency of file scanning.
为了将本发明实施例提供的一种文件扫描方法阐述的更加清楚明白,本发明实施例利用一个具体的实施例对其进行详细的说明。图2示出了本发明的具体实施例中的文件扫描方法的流程示意图。参见图2所示,该方法至少包括步骤S202至步骤S210。 In order to make the document scanning method provided by the embodiment of the present invention clearer, the embodiment of the present invention will be described in detail using a specific embodiment. 2 is a flow chart showing a file scanning method in a specific embodiment of the present invention. Referring to FIG. 2, the method includes at least steps S202 to S210.
步骤S202,接收对终端中的文件进行扫描的扫描触发操作。Step S202, receiving a scan triggering operation for scanning a file in the terminal.
步骤S204,递增日志以数字为索引时,记录扫描截止日志的索引数字,其中,扫描截止日志为前一次文件扫描操作所对应的递增日志记录中的最后一条日志记录。Step S204: When the incremental log is indexed by the number, the index number of the scan cutoff log is recorded, wherein the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation.
步骤S206,根据递增日志的数字索引查找到与扫描截止日志的索引数字对应的位置。Step S206, finding a position corresponding to the index number of the scan-off log according to the digital index of the increment log.
步骤S208,以扫描截止日志对应的索引数字为起点,根据新增部分日志记录所对应的索引数字确定后续的扫描操作所针对的文件,其中,针对的文件包括新增的文件和/或现有文件的改变。Step S208, starting from the index number corresponding to the scan cutoff log, determining a file for the subsequent scan operation according to the index number corresponding to the newly added partial log record, wherein the file for the file includes the newly added file and/or the existing file. File changes.
在一个具体实施例中,现有文件的改变包括下列至少之一:现有文件内容的改变;现有文件属性的改变;现有文件特征参数的改变。其中,现有文件属性的改变不一定需要被扫描,一些被恶意修改的属性,例如一种IE属性被恶意修改,IE浏览器上方的标题栏被改成“欢迎访问……网站”的样式,则包含在现有文件属性改变的范围之内。而对于符合安全的文件属性改变,例如属性仅涉及文本类型的修改(如word文本类型转换成PDF文本类型)或者属性仅涉及文本修改时间的改变(如2015-11-10改成2015-11-13),这些文件属性改变则不需要被再次扫描。通过对扫描操作所针对的文件的筛选,可以节约文件系统资源,同时节约了扫描文件所花费的时间。In a specific embodiment, the changes to the existing file include at least one of: changes to existing file content; changes to existing file attributes; changes to existing file feature parameters. Among them, the changes of the existing file attributes do not necessarily need to be scanned, some maliciously modified attributes, such as an IE attribute, are maliciously modified, and the title bar above the IE browser is changed to the "welcome to visit ... website" style. It is included in the scope of the existing file attribute changes. For security-compliant file attribute changes, for example, attributes only involve text type modifications (such as word text type conversion to PDF text type) or attributes only involve changes in text modification time (eg 2015-11-10 changed to 2015-11- 13) These file attribute changes do not need to be scanned again. By filtering the files for which the scan operation is directed, file system resources can be saved while saving the time it takes to scan the files.
步骤S210,分别对确定的文件进行增量扫描。Step S210, performing incremental scanning on the determined file.
在本发明实施例中,终端中设置有递增日志,当终端中的文件发生变更操作时,在递增日志中增加一条日志记录。当扫描触发时,获取前一次扫描操作所对应的递增日志中的最后一条日志记录,即扫描截止日志。递增日志以数字为索引,记录扫描截止日志的索引数字,根据递增日志的数字索引查找到与所述扫描截止日志的索引数字对应的位置,以扫描截止日志的索引数字为起点,根据即递增日志中的新增部分日志所对应的索引数字对终端中的文件进行增量扫描。通过文件的筛选,确定扫描截止日志的索引数字后续的扫描操作所针对的文件,省去了将所有文件扫描一遍的时间,进一步节约整体的扫描递增日志所花费的时间,扫描效率大大提高,而且减少了扫描信息的处理过程,减少了扫描信息出错的可能性,从而增加了文件扫描的稳定 性。In the embodiment of the present invention, an incremental log is set in the terminal, and when a file in the terminal is changed, a log record is added to the incremental log. When the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log. The incremental log is indexed by the number, and the index number of the scan-off log is recorded. The position corresponding to the index number of the scan-off log is found according to the digital index of the incremental log, and the index number of the scan-off log is used as the starting point, and the log is incremented according to the index. The index number corresponding to the new part of the log is incrementally scanned for the files in the terminal. Through the screening of the file, the file for the subsequent scanning operation of the index number of the scan-off log is determined, the time for scanning all the files is omitted, and the time taken for the overall scan-increment log is further saved, and the scanning efficiency is greatly improved, and Reduce the processing of scanning information, reduce the possibility of scanning information errors, thereby increasing the stability of file scanning Sex.
图3示出了根据本发明另一个具体实施例的文件扫描方法的流程示意图。参见图3,该方法至少包括步骤S302至步骤S306。FIG. 3 is a flow chart showing a file scanning method according to another embodiment of the present invention. Referring to FIG. 3, the method includes at least steps S302 to S306.
步骤S302,接收对终端中的文件进行扫描的扫描触发操作。Step S302: Receive a scan trigger operation for scanning a file in the terminal.
步骤S304,将终端分为多个区域,获取各区域前一次扫描操作记录的扫描截止日志,其中,扫描截止日志为各区域前一次文件扫描操作所对应的子递增日志记录中的最后一条日志记录。Step S304, the terminal is divided into multiple areas, and the scan cutoff log of the previous scan operation record of each area is obtained, wherein the scan cutoff log is the last log record in the sub-increment log record corresponding to the previous file scan operation in each area. .
在一个具体实施例中,将终端尤其是终端中的存储区域划分为C盘、D盘以及E盘,接收扫描触发操作后,同时获取C盘、D盘以及E盘的中的扫描截止日志。In a specific embodiment, the storage area of the terminal, especially the terminal, is divided into a C drive, a D drive, and an E drive. After receiving the scan trigger operation, the scan cutoff logs in the C drive, the D drive, and the E drive are simultaneously acquired.
步骤S306,根据各子递增日志查找到各子递增日志中扫描截止日志的位置,并以此扫描截止日志为起点,根据各子递增日志中的新增部分日志记录对终端相应区域中的文件进行增量扫描。Step S306, searching for the location of the scan-off log in each sub-increment log according to each sub-increment log, and starting from the scan-off log, and performing the file in the corresponding area of the terminal according to the newly added part of the log records in each sub-increment log. Incremental scanning.
在一个具体实施例中,将终端尤其是终端中的存储区域划分为C盘、D盘以及E盘,接收扫描触发操作后,同时获取C盘、D盘以及E盘中的扫描截止日志。根据各个盘中的递增日志查找到对应的扫描截止日志的位置,并以各盘中扫描截止日志为起点,对C盘、D盘以及E盘中的递增日志的增量部分同时进行扫描。In a specific embodiment, the storage area of the terminal, especially the terminal, is divided into a C drive, a D drive, and an E drive. After receiving the scan trigger operation, the scan cutoff logs in the C drive, the D drive, and the E drive are simultaneously acquired. The location of the corresponding scan cutoff log is found according to the incremental log in each disk, and the incremental portion of the incremental log in the C disk, the D disk, and the E disk is simultaneously scanned starting from the scan cutoff log in each disk.
在本发明实施例中,当终端分为多个区域时,分别对各区域进行文件扫描操作时,在各区域中设置记录本区域的文件变更操作的子递增日志,终端中各区域中的字子递增日志就可以同时实现各区域中的文件的增量扫描。通过对终端分区域进行扫描操作,各个区域之间互不影响,多个区域可以并行进行子递增日志增量的扫描,大大提高了文件扫描的效率。In the embodiment of the present invention, when the terminal is divided into multiple areas, when the file scanning operation is performed on each area, the sub-increment log of the file change operation of the local area is set in each area, and the words in each area of the terminal are The sub-increment log allows simultaneous incremental scanning of files in each region. By scanning the terminal sub-area, each area does not affect each other, and multiple areas can perform sub-increment log incremental scanning in parallel, which greatly improves the efficiency of file scanning.
在一个具体实例中,终端采用NTFS(New Technology File System,新技术文件系统)系统时,递增日志采用USN(update sequence number,更新序列号)文件系统。NTFS是一个可恢复的文件系统,在NTFS分区上用户很少需要运行磁盘修复程序,NTFS通过使用标准的事务处理日志和恢复技术来保证分区的一致性。当发生系统失败事件时,NTFS使用日志文件和检查点信息自动恢复文件系统的一致性。因此,NTFS文件系统具有良好的安全性能,应用于病毒的扫描 更加安全可靠。此外,NTFS文件系统还提供了容错结构日志,可以将用户的操作全部记录下来,从而进一步保护了系统的安全。USN文件系统是对卷里所修改过的信息进行相关记录的功能,微软发布建立NTFS 5.0时,加入了一些新功能和改进了旧版本的文件系统,为它请来了一位可靠的秘书,即USN文件系统,它可以在分区中设置监视更改的文件和目录的数量,记录下监视对象修改时间和修改内容。当这个功能启用时,对于每一个NTFS卷,当发生有关添加、删除和修改文件的信息时,NTFS文件系统都使用USN记录下修改的时间,并用特定的序列号来标识为日志形式,即USN日志。但是USN日志并不会记录里面具体修改的内容,因此,USN日志的记录文件很小,查找方便。所以,USN日志只能工作在NTFS文件系统中。In a specific example, when the terminal adopts the NTFS (New Technology File System) system, the incremental log uses the USN (update sequence number) file system. NTFS is a recoverable file system. On NTFS partitions, users rarely need to run disk repairs. NTFS uses standard transaction logging and recovery techniques to ensure partition consistency. When a system failure event occurs, NTFS automatically restores file system consistency using log files and checkpoint information. Therefore, the NTFS file system has good security and is suitable for virus scanning. More secure and reliable. In addition, the NTFS file system provides a fault-tolerant structure log that can fully record the user's operations, further protecting the security of the system. The USN file system is a function to record related information in the volume. When Microsoft released NTFS 5.0, it added some new features and improved the old version of the file system. It invited a reliable secretary. That is, the USN file system, which can set the number of files and directories that monitor changes in the partition, and record the modification time and modification contents of the monitoring object. When this function is enabled, for each NTFS volume, when information about adding, deleting, and modifying files occurs, the NTFS file system uses the USN to record the modified time and identifies it as a log with a specific serial number, that is, USN. Log. However, the USN log does not record the specific modification content. Therefore, the USN log record file is small and easy to find. Therefore, USN logs can only work in the NTFS file system.
在本发明的一个具体实施例中,参见图1所示的文件扫描方法流程示意图,该方法可以适用于病毒扫描、空间整理扫描等多种环境。其中,当应用于病毒扫描时,若病毒库或者是病毒引擎发生改变,则清除前一次扫描所记录的扫描截止日志,在本次扫描时因病毒库或病毒引擎的改变,终端中的已扫描过的在先文件的安全性可能存在更改,因此,本次扫描需要对终端中的文件进行全盘扫描,以保证病毒可以尽量完全彻底的被查杀,避免某些安全性存疑的文件被漏查。In a specific embodiment of the present invention, refer to the schematic diagram of the file scanning method shown in FIG. 1, which can be applied to various environments such as virus scanning, spatial finishing scanning, and the like. When applied to virus scanning, if the virus database or the virus engine changes, the scan deadline log recorded in the previous scan is cleared, and the scan in the terminal is scanned due to the change of the virus database or the virus engine during the scan. The security of the previous file may be changed. Therefore, this scan requires a full scan of the files in the terminal to ensure that the virus can be completely and completely detected and prevented, and some files suspected of security are not checked. .
基于同一发明构思,本发明还提供了一种文件扫描装置,用于支持上述任意一个优选实施例或其组合所提供的文件扫描方法。图4示出了根据本发明一个实施例的文件扫描装置的结构示意图。如图4所示,该装置至少可以包括以下模块:记录模块410、输入模块420、获取模块430以及扫描模块440。Based on the same inventive concept, the present invention also provides a document scanning apparatus for supporting a document scanning method provided by any one of the above preferred embodiments or a combination thereof. FIG. 4 is a block diagram showing the structure of a document scanning apparatus according to an embodiment of the present invention. As shown in FIG. 4, the apparatus may include at least the following modules: a recording module 410, an input module 420, an acquisition module 430, and a scanning module 440.
下面介绍本发明实施例的文件扫描装置的各个组件以及各部分之间的连接关系:The components of the file scanning apparatus and the connection relationship between the parts of the embodiment of the present invention are described below:
记录模块410,适于确定每次扫描操作所对应的递增日志记录中的最后一条日志记录,并记录为扫描截止日志;The recording module 410 is adapted to determine a last log record in the incremental log record corresponding to each scan operation, and record the scan log as a scan cutoff log;
输入模块420,适于接收对终端中的文件进行扫描的扫描触发操作;The input module 420 is adapted to receive a scan triggering operation for scanning a file in the terminal;
获取模块430,分别与记录模块410及输入模块420相耦合,适于到记录模块410中获取前一次扫描操作记录的扫描截止日志; The obtaining module 430 is coupled to the recording module 410 and the input module 420 respectively, and is adapted to obtain a scan cutoff log of the previous scan operation record into the recording module 410;
扫描模块440,与获取模块430相耦合,根据递增日志查找到扫描截止日志的位置,并以扫描截止日志为起点,根据递增日志中的新增部分日志记录对终端中的文件进行增量扫描。The scanning module 440 is coupled with the obtaining module 430, and finds the location of the scan-off log according to the incremental log, and uses the scan-off log as a starting point to perform incremental scanning on the file in the terminal according to the newly added partial log record in the incremental log.
在本发明的一个实施例中,获取模块430还适于,获取前一次扫描操作记录的扫描截止日志的索引数字。扫描模块440根据递增日志的数字索引查找到与扫描截止日志的索引数字对应的位置。In an embodiment of the present invention, the obtaining module 430 is further adapted to acquire an index number of a scan cutoff log recorded by the previous scan operation. The scanning module 440 finds a location corresponding to the index number of the scan-off log based on the digital index of the increment log.
在本发明一个具体实施例中,扫描模块440还适于,以扫描截止日志为起点,根据新增部分日志记录确定后续的扫描操作所针对的文件,其中,针对的文件包括新增的文件和/或现有文件的改变;In a specific embodiment of the present invention, the scanning module 440 is further configured to: start with a scan cutoff log, and determine, according to the newly added partial log record, a file for which a subsequent scan operation is performed, where the file for the file includes the newly added file and / or changes to existing documents;
分别对确定的文件进行增量扫描。Incremental scanning of the determined files.
在本发明的一个实施例中,接收终端的扫描触发操作,确定每次扫描操作所对应的递增日志记录中的最后一条日志记录,并记录为扫描截止日志,以扫描截止日志为起点,根据新增部分日志记录确定后续的扫描操作所针对的文件,其中,针对的文件包括新增的文件和/或现有文件的改变。现有文件的改变包括下列至少之一:现有文件内容的改变;现有文件属性的改变;现有文件特征参数的改变。In an embodiment of the present invention, the scan trigger operation of the receiving terminal determines the last log record in the incremental log record corresponding to each scan operation, and records the scan as the scan cutoff log, starting from the scan cutoff log, according to the new The partial log record determines the file for which the subsequent scan operation is directed, wherein the file for the change includes a new file and/or a change to the existing file. Changes to existing documents include at least one of the following: changes to existing file content; changes to existing file attributes; changes to existing file feature parameters.
在本发明的一个实施例中,记录模块410还适于,当终端分为多个区域时,分别对各区域进行文件扫描操作时,在各区域中设置记录本区域的文件变更操作的子递增日志。记录模块410确定每次扫描操作所对应的各区域中的子递增日志记录中的最后一条日志记录,并记录为扫描截止日志。获取模块430从子递增日志中获取前一次扫描操作记录的扫描截止日志。扫描模块440根据各区域中的子递增日志查找到扫描截止日志的位置,并以该扫描截止日志为起点,根据子递增日志中的新增部分日志记录对终端相应区域中的文件进行增量扫描。In an embodiment of the present invention, the recording module 410 is further adapted to, when the terminal is divided into a plurality of areas, perform a file scanning operation on each area, and set a sub-increment of the file changing operation of the recording area in each area. Log. The recording module 410 determines the last log record in the sub-increment log records in each area corresponding to each scan operation, and records it as a scan cutoff log. The obtaining module 430 acquires the scan cutoff log of the previous scan operation record from the sub-increment log. The scanning module 440 finds the location of the scan-off log according to the sub-increment log in each area, and uses the scan-off log as a starting point to perform incremental scanning on the file in the corresponding area of the terminal according to the newly added part of the log record in the sub-increment log. .
在本发明实施例中,当终端分为多个区域时,分别对各区域进行文件扫描操作时,在各区域中设置记录本区域的文件变更操作的子递增日志,终端中各区域中的字子递增日志就可以同时实现各区域中的文件的增量扫描。通过对终端分区域进行扫描操作,各个区域之间互不影响,多个区域可以同时进行子递增日志增量的扫描,大大提高了文件扫描的效率。In the embodiment of the present invention, when the terminal is divided into multiple areas, when the file scanning operation is performed on each area, the sub-increment log of the file change operation of the local area is set in each area, and the words in each area of the terminal are The sub-increment log allows simultaneous incremental scanning of files in each region. By scanning the terminal sub-areas, each area does not affect each other, and multiple areas can simultaneously scan the sub-increment log increments, which greatly improves the efficiency of file scanning.
在本发明一个具体实施例中,终端采用NTFS系统时,递增日志 采用USN文件系统。In a specific embodiment of the present invention, when the terminal adopts the NTFS system, the log is incremented. Use the USN file system.
在本发明一个具体实施例中,文件扫描装置适用于病毒扫描和/或空间整理扫描。其中,若文件扫描装置用于病毒扫描时,记录模块420还适于当文件扫描装置应用于病毒扫描时,若病毒库或病毒引擎发生改变,则清除前一次扫描所记录的扫描截止日志,终端中的递增日志进行全盘扫描,从而保证病毒的彻底扫描和查杀。In a specific embodiment of the invention, the file scanning device is adapted for virus scanning and/or spatial finishing scanning. If the file scanning device is used for virus scanning, the recording module 420 is further adapted to: when the file scanning device is applied to the virus scanning, if the virus database or the virus engine changes, the scanning deadline log recorded by the previous scanning is cleared, and the terminal is The incremental log in the scan is performed in a full scan to ensure thorough scanning and killing of the virus.
根据上述任意一个优选实施例或多个优选实施例的组合,本发明实施例能够达到如下有益效果:According to any one of the preferred embodiments or the combination of the preferred embodiments, the embodiment of the present invention can achieve the following beneficial effects:
本发明实施例提出的关于文件扫描方法及装置,终端中设置有递增日志,当终端中的文件发生变更操作时,在递增日志中增加一条日志记录。当扫描触发时,获取前一次扫描操作所对应的递增日志中的最后一条日志记录,即扫描截止日志,根据递增日志查找到扫描截止日志的位置,并以扫描截止日志为起点,根据递增日志中的新增部分日志记录对终端中的文件进行增量扫描。由于递增日志只是在原有日志的基础上增加了部分新的日志,所以在原有递增日志不变的情况下上,只需要对文件的增量部分进行安全扫描,可以有效避免对所有的递增日志从头到尾的全盘扫描。在文件数量较大的情况下,只进行文件的增量扫描可以节约文件扫描所花费的时间,有效的提高了文件扫描的效率,同时节约了系统的文件资源。In the method and device for scanning a file according to the embodiment of the present invention, an incremental log is set in the terminal, and when a file is changed in the terminal, a log record is added to the incremental log. When the scan is triggered, the last log record in the incremental log corresponding to the previous scan operation is obtained, that is, the scan cutoff log is searched, and the position of the scan cutoff log is found according to the incremental log, and the scan cutoff log is taken as the starting point, according to the incremental log. The new part of the log record incrementally scans the files in the terminal. Since the incremental log only adds some new logs based on the original log, in the case that the original incremental log does not change, only the incremental part of the file needs to be scanned for security, which can effectively avoid all incremental logs from scratch. A full scan to the end. In the case of a large number of files, only incremental scanning of files can save time spent on file scanning, effectively improve the efficiency of file scanning, and save system file resources.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发 明的单独实施例。Similarly, the various features of the invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the embodiments, each of which A separate embodiment of the invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的文件扫描装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the document scanning device in accordance with embodiments of the present invention. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图5示出了可以实现根据本发明的文件扫描方法的计算设备。该计算设备传统上包括处理器510和以存储器520形式的计算机程序产品或者计算机可读介质。存储器520可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM 之类的电子存储器。存储器520具有用于执行上述方法中的任何方法步骤的程序代码531的存储空间530。例如,用于程序代码的存储空间530可以包括分别用于实现上面的方法中的各种步骤的各个程序代码531。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图6所述的便携式或者固定存储单元。该存储单元可以具有与图5的计算设备中的存储器520类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码531’,即可以由例如诸如510之类的处理器读取的代码,这些代码当由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。For example, Figure 5 illustrates a computing device that can implement a file scanning method in accordance with the present invention. The computing device conventionally includes a processor 510 and a computer program product or computer readable medium in the form of a memory 520. The memory 520 may be, for example, a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Electronic storage such as this. Memory 520 has a memory space 530 for program code 531 for performing any of the method steps described above. For example, storage space 530 for program code may include various program code 531 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to memory 520 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 531 ', ie, code readable by a processor, such as 510, that when executed by a computing device causes the computing device to perform each of the methods described above step.
本文中所称的“一个实施例”、“实施例”或者“一个或者多个实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。"an embodiment," or "an embodiment," or "an embodiment," In addition, it is noted that the phrase "in one embodiment" is not necessarily referring to the same embodiment.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It is to be noted that the above-described embodiments are illustrative of the invention and are not intended to be limiting, and that the invention may be devised without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于 本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。 In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed or limited. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. For The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims (18)

  1. 一种文件扫描方法,用于对终端中的文件进行安全扫描,所述终端中设置有递增日志,当所述终端中的文件发生变更操作时,在所述递增日志中增加一条日志记录,所述方法包括:A file scanning method, configured to perform security scanning on a file in a terminal, where an incremental log is set in the terminal, and when a file in the terminal changes, a log record is added to the incremental log. The methods include:
    接收对所述终端中的文件进行扫描的扫描触发操作;Receiving a scan triggering operation for scanning a file in the terminal;
    获取前一次扫描操作记录的扫描截止日志,其中,所述扫描截止日志为前一次文件扫描操作所对应的递增日志记录中的最后一条日志记录;Obtaining a scan cutoff log of a previous scan operation record, where the scan cutoff log is the last log record in the incremental log record corresponding to the previous file scan operation;
    根据所述递增日志查找到所述扫描截止日志的位置,并以所述扫描截止日志为起点,根据所述递增日志中的新增部分日志记录对所述终端中的文件进行增量扫描。The location of the scan-off log is found according to the incremental log, and the scan-off log is used as a starting point, and the file in the terminal is incrementally scanned according to the newly added partial log record in the incremental log.
  2. 根据权利要求1所述的方法,其中,若所述递增日志以数字为索引时,所述获取前一次扫描操作记录的扫描截止日志,包括:获取前一次扫描操作记录的扫描截止日志的索引数字;The method according to claim 1, wherein if the incremental log is indexed by a number, the obtaining a scan deadline log of the previous scan operation record comprises: obtaining an index number of a scan cutoff log of the previous scan operation record ;
    根据所述递增日志查找到所述扫描截止日志的位置,包括:根据所述递增日志的数字索引查找到与所述扫描截止日志的索引数字对应的位置。Finding the location of the scan cutoff log according to the incremental log includes: finding a location corresponding to an index number of the scan cutoff log according to the digital index of the incremental log.
  3. 根据权利要求1或2所述的方法,其中,以所述扫描截止日志为起点,根据所述递增日志中的新增部分日志记录对所述终端中的文件进行增量扫描,包括:The method according to claim 1 or 2, wherein the scanning of the files in the terminal is performed according to the newly added partial log records in the incremental log, starting from the scan-off log, including:
    以所述扫描截止日志为起点,根据所述新增部分日志记录确定后续的扫描操作所针对的文件,其中,所述针对的文件包括新增的文件和/或现有文件的改变;Determining, according to the scan-off log, a file for a subsequent scan operation, where the file for the file includes a new file and/or a change of an existing file;
    分别对确定的文件进行增量扫描。Incremental scanning of the determined files.
  4. 根据权利要求3所述的方法,其中,所述现有文件的改变包括下列至少之一:The method of claim 3 wherein the change to the existing file comprises at least one of the following:
    现有文件内容的改变;Changes in the content of existing documents;
    现有文件属性的改变;Changes to existing file attributes;
    现有文件特征参数的改变。Changes to existing document feature parameters.
  5. 根据权利要求1至4任一项所述的方法,其中,还包括: The method according to any one of claims 1 to 4, further comprising:
    所述终端分为多个区域时,分别对各区域进行文件扫描操作时,在各区域中设置记录本区域的文件变更操作的子递增日志;When the terminal is divided into a plurality of areas, when a file scanning operation is performed on each area, a sub-increment log for recording a file change operation of the local area is set in each area;
    根据各子递增日志对相应区域中的文件进行增量扫描。The files in the corresponding area are incrementally scanned according to each sub-increment log.
  6. 根据权利要求1至5任一项所述的方法,其中,所述终端采用新技术文件系统NTFS系统时,所述递增日志为更新序列号USN文件系统。The method according to any one of claims 1 to 5, wherein when the terminal adopts a new technology file system NTFS system, the incremental log is an update serial number USN file system.
  7. 根据权利要求1至6任一项所述的方法,其中,所述方法适用于病毒扫描和/或空间整理扫描。A method according to any one of claims 1 to 6, wherein the method is applicable to virus scanning and/or spatial finishing scanning.
  8. 根据权利要求7所述的方法,其中,当所述方法应用于病毒扫描时,若病毒库或病毒引擎发生改变,则清除前一次扫描所记录的扫描截止日志。The method according to claim 7, wherein when the method is applied to a virus scan, if the virus database or the virus engine changes, the scan deadline log recorded in the previous scan is cleared.
  9. 一种文件扫描装置,用于对终端中的文件进行安全扫描,所述终端中设置有递增日志,当所述终端中的文件发生变更操作时,在所述递增日志中增加一条日志记录,所述装置包括:A file scanning device is configured to perform security scanning on a file in a terminal, where an incremental log is set in the terminal, and when a file in the terminal changes operation, a log record is added to the incremental log. The device includes:
    记录模块,适于确定每次扫描操作所对应的递增日志记录中的最后一条日志记录,并记录为扫描截止日志;a recording module, configured to determine a last log record in the incremental log record corresponding to each scan operation, and record as a scan cutoff log;
    输入模块,适于接收对所述终端中的文件进行扫描的扫描触发操作;An input module adapted to receive a scan triggering operation for scanning a file in the terminal;
    获取模块,适于到所述记录模块中获取前一次扫描操作记录的扫描截止日志;An obtaining module, configured to obtain, in the recording module, a scan cutoff log of a previous scan operation record;
    扫描模块,根据所述递增日志查找到所述扫描截止日志的位置,并以所述扫描截止日志为起点,根据所述递增日志中的新增部分日志记录对所述终端中的文件进行增量扫描。The scanning module searches for the location of the scan-off log according to the incremental log, and uses the scan-off log as a starting point to increment the file in the terminal according to the newly added partial log record in the incremental log. scanning.
  10. 根据权利要求9所述的装置,其中,所述获取模块还适于:若所述递增日志以数字为索引时,所述获取前一次扫描操作记录的扫描截止日志,包括:获取前一次扫描操作记录的扫描截止日志的索引数字;The apparatus according to claim 9, wherein the obtaining module is further adapted to: when the incremental log is indexed by a number, the obtaining a scan deadline log of the previous scan operation record, comprising: acquiring a previous scan operation The index number of the scanned scan-off log;
    所述扫描模块还适于:根据所述递增日志的数字索引查找到与所述扫描截止日志的索引数字对应的位置。The scanning module is further adapted to: find a location corresponding to an index number of the scan-off log according to the digital index of the incremental log.
  11. 根据权利要求9或10所述的装置,其中,所述扫描模块还适于: The apparatus according to claim 9 or 10, wherein the scanning module is further adapted to:
    以所述扫描截止日志为起点,根据所述新增部分日志记录确定后续的扫描操作所针对的文件,其中,所述针对的文件包括新增的文件和/或现有文件的改变;Determining, according to the scan-off log, a file for a subsequent scan operation, where the file for the file includes a new file and/or a change of an existing file;
    分别对确定的文件进行增量扫描。Incremental scanning of the determined files.
  12. 根据权利要求11所述的装置,其中,所述现有文件的改变包括下列至少之一:The apparatus of claim 11, wherein the change of the existing file comprises at least one of the following:
    现有文件内容的改变;Changes in the content of existing documents;
    现有文件属性的改变;Changes to existing file attributes;
    现有文件特征参数的改变。Changes to existing document feature parameters.
  13. 根据权利要求9至12任一项所述的装置,其中,所述记录模块还适于:The apparatus according to any one of claims 9 to 12, wherein the recording module is further adapted to:
    当所述终端分为多个区域时,分别对各区域进行文件扫描操作时,在各区域中设置记录本区域的文件变更操作的子递增日志;When the terminal is divided into a plurality of areas, when a file scanning operation is performed on each area, a sub-increment log for recording a file change operation of the local area is set in each area;
    所述扫描模块还适于根据各子递增日志对相应区域中的文件进行增量扫描。The scanning module is further adapted to incrementally scan files in the corresponding area according to each sub-increment log.
  14. 根据权利要求9至13任一项所述的装置,其中,所述终端采用NTFS系统时,所述递增日志采用USN文件系统。The apparatus according to any one of claims 9 to 13, wherein when the terminal adopts an NTFS system, the incremental log uses a USN file system.
  15. 根据权利要求9至14任一项所述的装置,其中,所述装置适用于病毒扫描和/或空间整理扫描。Apparatus according to any one of claims 9 to 14, wherein the apparatus is adapted for virus scanning and/or spatial finishing scanning.
  16. 根据权利要求15所述的装置,其中,所述记录模块还适于当所述装置应用于病毒扫描时,若病毒库或病毒引擎发生改变,则清除前一次扫描所记录的扫描截止日志。The apparatus of claim 15, wherein the recording module is further adapted to clear the scan cutoff log recorded by the previous scan if the virus or virus engine changes when the device is applied to a virus scan.
  17. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1-8中的任一个所述的文件扫描方法。A computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform the file scanning method of any of claims 1-8.
  18. 一种计算机可读介质,其中存储了如权利要求17所述的计算机程序。 A computer readable medium storing the computer program of claim 17.
PCT/CN2016/105906 2015-11-16 2016-11-15 File scanning method and device WO2017084557A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510785495.8A CN105389509A (en) 2015-11-16 2015-11-16 Document scanning method and apparatus
CN201510785495.8 2015-11-16

Publications (1)

Publication Number Publication Date
WO2017084557A1 true WO2017084557A1 (en) 2017-05-26

Family

ID=55421785

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/105906 WO2017084557A1 (en) 2015-11-16 2016-11-15 File scanning method and device

Country Status (2)

Country Link
CN (1) CN105389509A (en)
WO (1) WO2017084557A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105389509A (en) * 2015-11-16 2016-03-09 北京奇虎科技有限公司 Document scanning method and apparatus
CN107437022B (en) * 2016-05-27 2019-08-20 北京神州泰岳软件股份有限公司 A kind of weak passwurd check method and device
CN108153790A (en) * 2016-12-06 2018-06-12 杭州亿方云网络科技有限公司 A kind of local file monitoring method and device
CN108920949A (en) * 2018-06-27 2018-11-30 北京奇虎科技有限公司 A kind of method and terminal device of automatic killing file
CN109033313B (en) * 2018-07-17 2020-09-25 北京明朝万达科技股份有限公司 Method and terminal equipment for realizing full-disk scanning function by using USN
CN111930702A (en) * 2020-08-14 2020-11-13 工银科技有限公司 Log processing method, device, system and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200627279A (en) * 2004-08-13 2006-08-01 Ibm A prioritization system
CN102609653A (en) * 2012-02-07 2012-07-25 奇智软件(北京)有限公司 File quick-scanning method and file quick-scanning system
CN103336925A (en) * 2013-07-29 2013-10-02 腾讯科技(深圳)有限公司 Scanning acceleration method and device
CN105389509A (en) * 2015-11-16 2016-03-09 北京奇虎科技有限公司 Document scanning method and apparatus

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7581250B2 (en) * 2005-02-17 2009-08-25 Lenovo (Singapore) Pte Ltd System, computer program product and method of selecting sectors of a hard disk on which to perform a virus scan
US8122507B1 (en) * 2006-06-28 2012-02-21 Emc Corporation Efficient scanning of objects
US8161556B2 (en) * 2008-12-17 2012-04-17 Symantec Corporation Context-aware real-time computer-protection systems and methods
CN103020521B (en) * 2011-09-22 2015-10-21 腾讯科技(深圳)有限公司 Wooden horse scan method and system
CN103679022B (en) * 2012-09-20 2016-04-20 腾讯科技(深圳)有限公司 Virus scan method and apparatus
CN104133822B (en) * 2013-07-15 2016-09-14 腾讯科技(深圳)有限公司 A kind of method and device that file on memorizer is scanned

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200627279A (en) * 2004-08-13 2006-08-01 Ibm A prioritization system
CN102609653A (en) * 2012-02-07 2012-07-25 奇智软件(北京)有限公司 File quick-scanning method and file quick-scanning system
CN103336925A (en) * 2013-07-29 2013-10-02 腾讯科技(深圳)有限公司 Scanning acceleration method and device
CN105389509A (en) * 2015-11-16 2016-03-09 北京奇虎科技有限公司 Document scanning method and apparatus

Also Published As

Publication number Publication date
CN105389509A (en) 2016-03-09

Similar Documents

Publication Publication Date Title
WO2017084557A1 (en) File scanning method and device
WO2017190580A1 (en) Method and device for accessing database
US20150020203A1 (en) Method and device for processing computer viruses
EP2750067B1 (en) System and method for selecting synchronous or asynchronous file access method during antivirus analysis
US9626510B2 (en) Method, device and system for processing computer virus
AU2017201667B2 (en) Secure document importation via portable media
WO2012051802A1 (en) Website scanning device and method
WO2015081791A1 (en) Method and apparatus for scanning and removing kernel-level malware
WO2012041602A1 (en) Search engine indexing
US9129109B2 (en) Method and apparatus for detecting a malware in files
JP2010182019A (en) Abnormality detector and program
CN111869176B (en) System and method for malware signature generation
US10229267B2 (en) Method and device for virus identification, nonvolatile storage medium, and device
US8448243B1 (en) Systems and methods for detecting unknown malware in an executable file
US20100175133A1 (en) Reordering document content to avoid exploits
US7703139B2 (en) Antivirus product using in-kernal cache of file state
US8386792B1 (en) Asymmetric content fingerprinting with adaptive window sizing
EP3108400B1 (en) Virus signature matching method and apparatus
US9239907B1 (en) Techniques for identifying misleading applications
US20130312100A1 (en) Electronic device with virus prevention function and virus prevention method thereof
WO2017054731A1 (en) Method and device for processing hijacked browser
RU2583712C2 (en) System and method of detecting malicious files of certain type
CN105224583B (en) Method and device for cleaning log files
KR100977179B1 (en) Method and System for Searching malicious code
US20080028466A1 (en) System and method for retrieving information from a storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16865734

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16865734

Country of ref document: EP

Kind code of ref document: A1