WO2024040977A1

WO2024040977A1 - Virus detection method and apparatus, electronic device, and storage medium

Info

Publication number: WO2024040977A1
Application number: PCT/CN2023/087180
Authority: WO
Inventors: 刘遵一
Original assignee: 华为技术有限公司
Priority date: 2022-08-24
Filing date: 2023-04-08
Publication date: 2024-02-29
Also published as: CN117668834A

Abstract

The present application relates to a virus detection method and apparatus, an electronic device, and a storage medium. The method comprises: acquiring historical information of virus detection corresponding to a target file in a storage system; according to the historical information of virus detection corresponding to the target file, determining whether to carry out virus detection on the target file; if it is determined that virus detection is to be carried out on the target file, sending a request for carrying out virus detection on the target file to a target anti-virus system. In this way, whether virus detection is to be carried out on a target file is determined according to historical information of virus detection corresponding to the target file, and on the premise of ensuring data security, virus detection can be prevented from being repeatedly carried out on file content already subjected to virus detection, so that the network bandwidth overhead is saved, the virus detection time is saved, and the virus detection efficiency and the read-write performance of storage systems are improved.

Description

A virus detection method, device, electronic equipment and storage medium

Technical field

The present application relates to the field of computer security, and in particular to a virus detection method, device, electronic equipment and storage medium.

Background technique

Anti-Virus (AV) technology is a technology that protects user data security. It has functions such as real-time monitoring, virus prevention, virus scanning or virus removal, and maintains the security of user computer resources. Network Attached Storage (NAS) anti-virus is a value-added feature in NAS storage systems. It usually cooperates with anti-virus software to protect the data security of files in NAS storage systems, thereby effectively preventing files in NAS storage systems from being infected and tampered with by viruses. , protect the reliable operation of the entire NAS storage system.

However, existing anti-virus methods for NAS consume a large amount of network bandwidth and time, and are inefficient.

Contents of the invention

In view of this, a virus detection method, device, electronic equipment and storage medium are proposed.

In a first aspect, embodiments of the present application provide a virus detection method. The method includes: obtaining historical information of virus detection corresponding to the target file in the storage system; wherein the historical information of virus detection includes: whether it has been At least one of virus detection, virus detection times, virus detection time, and configuration information of an anti-virus system that performs virus detection; determining whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the target file ; When it is determined that virus detection is to be performed on the target file, send a request to perform virus detection on the target file to the target anti-virus system.

Based on the above technical solution, the historical information of virus detection corresponding to the target file can characterize the virus detection related information that the content of the target file has experienced; determining whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the target file can be performed in Under the premise of ensuring data security, it avoids repeated virus detection on file contents that have been virus tested, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, , the user can open the target file in time, which improves the read and write performance of the storage system.

According to the first aspect, in a first possible implementation manner of the first aspect, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file, and/or , the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; wherein the index library includes at least one file fingerprint and the historical information of virus detection corresponding to the at least one file fingerprint, and the at least One file fingerprint is associated with one or more files in the storage system, and the history information of virus detection corresponding to the at least one file fingerprint includes the history of virus detection corresponding to each file associated with the at least one file fingerprint. The latest historical information in the message.

According to the first aspect or a first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the historical information of virus detection corresponding to the target file includes: the target file The historical information of virus detection in the metadata; the obtaining the historical information of virus detection corresponding to the target file includes: reading the historical information of virus detection corresponding to the target file in the target file metadata.

Based on the above technical solution, after a file has been virus tested and confirmed to be virus-free, if the file content has not changed, the file content is still safe, and the file does not need to be repeatedly tested for viruses; therefore, reading the target file The historical information of virus detection in the metadata can be used to quickly obtain the historical information of virus detection corresponding to the target file, and then determine whether to perform virus detection on the target file based on the historical information of virus detection in the metadata of the target file. On the premise of ensuring data security, it avoids repeated virus detection on file contents that have already undergone virus detection, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, , the user can open the target file in time, which improves the read and write performance of the storage system.

According to the first aspect or a first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the historical information of virus detection corresponding to the target file includes: in the index database, The historical information of virus detection corresponding to the file fingerprint of the target file; the obtaining the historical information of virus detection corresponding to the target file includes: determining the target file fingerprint of the target file; according to the target file fingerprint, in the Select the historical information of virus detection corresponding to the fingerprint of the target file from the index database.

Based on the above technical solution, the target file fingerprint is associated with one or more files in the storage system, that is, the contents of the one or more files are exactly the same. If any of the one or more files is confirmed to be safe through virus detection , then the contents of other files can also be considered safe, and virus detection does not need to be repeated on other files; therefore, the historical information of virus detection corresponding to the fingerprint of the target file is queried in the index database, and the virus detection corresponding to the fingerprint of the target file is The historical information determines whether to perform virus detection on the target file, which can avoid repeated virus detection on the file content that has already experienced virus detection on the premise of ensuring data security, thereby saving network bandwidth overhead, saving virus detection time, and improving This improves virus detection efficiency; in addition, when an online virus detection task is triggered, users can open the target file in time, improving the read and write performance of the storage system.

According to a second possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the historical information of virus detection corresponding to the target file includes: historical information of virus detection, and historical information of virus detection corresponding to the file fingerprint of the target file in the index database; and determining whether to detect the target based on the historical information of virus detection corresponding to the target file. Performing virus detection on the file includes: determining the target file fingerprint of the target file when the historical information of virus detection in the target file metadata does not meet the first preset condition; based on the target file fingerprint, The historical information of virus detection corresponding to the fingerprint of the target file is selected from the index library; when the historical information of virus detection corresponding to the fingerprint of the target file does not meet the second preset condition, it is determined that the target file is Virus detection.

Based on the above technical solution, determining whether to perform virus detection on the target file is based on the historical information of virus detection in the target file metadata and the historical information of virus detection corresponding to the fingerprint of the target file in the index database, which can avoid virus detection on the premise of ensuring data security. Repeated virus detection is performed on file contents that have already undergone virus detection, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, the user can open the target file in time, Improved the read and write performance of the storage system.

According to the first aspect or various possible implementations of the first aspect, in a fifth possible implementation of the first aspect, the method further includes: obtaining feedback from the target anti-virus system on the The result of virus detection on the target file; based on the result of virus detection, the historical information of virus detection corresponding to the target file is updated.

Based on the above technical solution, updating the historical information of virus detection corresponding to the target file according to the virus detection results can ensure that the historical information of virus detection corresponding to the target file is the latest historical information of virus detection, so that when the virus detection task is triggered next time, based on The latest virus detection history information determines whether to perform virus detection on the target file.

According to a fourth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes: historical information of virus detection corresponding to the fingerprint of the target file satisfies the third In the case of two preset conditions, it is determined not to perform virus detection on the target file, and the historical information of virus detection in the metadata of the target file is updated.

Based on the above technical solution, if the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition, it indicates that the file content corresponding to the fingerprint of the target file has experienced virus detection and there is no virus, that is, the content of the target file has experienced virus detection. and there is no virus, you can update the historical information of virus detection in the target file metadata, thereby ensuring that the historical information of virus detection in the target file metadata is the latest historical information of virus detection, so that it can pass the next time the virus detection task is triggered. The historical virus detection information in the target file metadata quickly determines whether the target file needs to be virus detected, or whether the target file fingerprint needs to be obtained.

In a second aspect, embodiments of the present application provide a virus detection device. The device includes: an acquisition module for acquiring historical information of virus detection corresponding to the target file in the storage system; wherein the historical information of virus detection It includes: at least one of: whether it has experienced virus detection, the number of virus detections, the virus detection time, and the configuration information of the anti-virus system that performs virus detection; a determination module for based on the historical information of virus detection corresponding to the target file, Determine whether to perform virus detection on the target file; a request module, configured to send a request to perform virus detection on the target file to the target anti-virus system when it is determined to perform virus detection on the target file.

According to the second aspect, in a first possible implementation manner of the second aspect, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file, and/or , the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; wherein the index library includes at least one file fingerprint and the historical information of virus detection corresponding to the at least one file fingerprint, and the at least One file fingerprint is associated with one or more files in the storage system, and the history information of virus detection corresponding to the at least one file fingerprint includes the history of virus detection corresponding to each file associated with the at least one file fingerprint. The latest historical information in the message.

According to the second aspect or the first possible implementation manner of the second aspect, in the second possible implementation manner of the second aspect, the historical information of virus detection corresponding to the target file includes: the target file The historical information of virus detection in the metadata; the acquisition module is also used to read the historical information of virus detection corresponding to the target file in the target file metadata.

Based on the above technical solution, after a file has been virus tested and confirmed to be virus-free, if the file content has not changed, the file content is still safe, and the file does not need to be repeatedly tested for viruses; therefore, reading the target file The historical information of virus detection in the metadata can quickly obtain the historical information of virus detection corresponding to the target file. Based on the historical information of virus detection in the metadata of the target file, determine whether to perform virus detection on the target file, which can ensure data security. This avoids repeated virus detection on file content that has already undergone virus detection, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, the user can open it in time Target files improve the read and write performance of the storage system.

According to the second aspect or the first possible implementation manner of the second aspect, in the third possible implementation manner of the second aspect, the historical information of virus detection corresponding to the target file includes: in the index database, The historical information of virus detection corresponding to the file fingerprint of the target file; the acquisition module is also used to: determine the target file fingerprint of the target file; select the target file in the index database according to the target file fingerprint. Historical information of virus detection corresponding to the target file fingerprint.

Based on the above technical solution, the target file fingerprint is associated with one or more files in the storage system, that is, the contents of the one or more files are exactly the same. If any of the one or more files is confirmed to be safe through virus detection , then the contents of other files can also be considered safe, and virus detection does not need to be repeated on other files; therefore, the historical information of virus detection corresponding to the fingerprint of the target file is queried in the index database, and the virus detection corresponding to the fingerprint of the target file is of Historical information determines whether to perform virus detection on the target file, which can avoid repeated virus detection on file contents that have already undergone virus detection while ensuring data security, thereby saving network bandwidth overhead, saving virus detection time, and improving efficiency. Virus detection efficiency; in addition, when an online virus detection task is triggered, users can open the target file in time, improving the storage system's read and write performance.

According to a second possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the historical information of virus detection corresponding to the target file includes: Historical information of virus detection, and historical information of virus detection corresponding to the file fingerprint of the target file in the index database; the determination module is also used for: virus detection in the metadata of the target file If the historical information does not meet the first preset condition, determine the target file fingerprint of the target file; select the historical information of virus detection corresponding to the target file fingerprint in the index database according to the target file fingerprint; When the historical information of virus detection corresponding to the fingerprint of the target file does not meet the second preset condition, it is determined to perform virus detection on the target file.

According to the second aspect or the above-mentioned various possible implementations of the second aspect, in the fifth possible implementation of the second aspect, the device further includes: a result feedback module for obtaining the target anti-virus The system feeds back the result of virus detection on the target file; an update module is used to update the historical information of virus detection corresponding to the target file according to the result of virus detection.

According to the fourth possible implementation manner of the second aspect, in the sixth possible implementation manner of the second aspect, the device further includes: a metadata update module, which detects viruses corresponding to the fingerprint of the target file. If the historical information satisfies the second preset condition, it is determined not to perform virus detection on the target file, and the historical information on virus detection in the metadata of the target file is updated.

Based on the above technical solution, if the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition, it indicates that the file content corresponding to the fingerprint of the target file has experienced virus detection and does not have viruses, that is, the content of the target file has experienced virus detection and has no viruses. Then the historical information of virus detection in the target file metadata can be updated, thereby ensuring that the historical information of virus detection in the target file metadata is the latest historical information of virus detection, so that the target file metadata can be used when the virus detection task is triggered next time. The historical information of virus detection in the file can quickly determine whether the target file needs to be virus detected, or whether the target file fingerprint needs to be obtained.

In a third aspect, embodiments of the present application provide an electronic device, including: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the first aspect when executing the instructions. Or one or more virus detection methods of the first aspect.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the first aspect or one or more aspects of the first aspect are implemented. virus detection methods.

In a fifth aspect, embodiments of the present application provide a computer program product that, when the computer program product is run on a computer, causes the computer to execute the above-mentioned first aspect or one or more viruses of the first aspect. Detection method.

For the technical effects of the above-mentioned third to fifth aspects, please refer to the above-mentioned first or second aspect.

Other features and aspects of the present application will become apparent from the following detailed description of exemplary embodiments with reference to the accompanying drawings.

Description of drawings

The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate exemplary embodiments, features, and aspects of the application and together with the description, serve to explain the principles of the application.

Figure 1 shows a schematic diagram of an applicable scenario of a virus detection method according to an embodiment of the present application.

Figure 2 shows a flow chart of a virus detection method according to an embodiment of the present application.

Figure 3 shows a schematic diagram of an index library according to an embodiment of the present application.

Figure 4 shows a schematic diagram of historical information of virus detection corresponding to file fingerprint 1 according to an embodiment of the present application.

Figure 5 shows a flow chart of a virus detection method according to an embodiment of the present application.

Figure 6 shows a flow chart of a virus detection method according to an embodiment of the present application.

Figure 7 shows a flow chart of a virus detection method according to an embodiment of the present application.

Figure 8 shows a schematic structural diagram of a virus detection device according to an embodiment of the present application.

Figure 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed ways

Various exemplary embodiments, features, and aspects of the present application will be described in detail below with reference to the accompanying drawings. The same reference numbers in the drawings identify functionally identical or similar elements. Although various aspects of the embodiments are illustrated in the drawings, the drawings are not necessarily drawn to scale unless otherwise indicated.

Reference in this specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Therefore, the phrases "in one embodiment", "in some embodiments", "in other embodiments", "in other embodiments", etc. appearing in different places in this specification are not necessarily References are made to the same embodiment, but rather to "one or more but not all embodiments" unless specifically stated otherwise. The terms “including,” “includes,” “having,” and variations thereof all mean “including but not limited to,” unless otherwise specifically emphasized. The word "exemplary" as used herein means "serving as an example, example, or illustrative." Any embodiment described herein as "exemplary" is not necessarily to be construed as superior or superior to other embodiments. In addition, in order to better explain the present application, numerous specific details are given in the following detailed description. It will be understood by those skilled in the art that the present application may be practiced without certain specific details.

In this application, "at least one" refers to one or more, and "plurality" refers to two or more. "And/or" describes the association of associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: including the existence of A alone, the existence of A and B at the same time, and the existence of B alone, where A and B can be singular or plural. The character "/" generally indicates that the related objects are in an "or" relationship. "At least one of the following" or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementations should not be considered to be beyond the scope of this application. around.

The application scenarios to which the embodiments of this application are adapted are firstly illustrated below with examples.

Figure 1 shows a schematic diagram of an applicable scenario of a virus detection method according to an embodiment of the present application. As shown in Figure 1, this scenario may include a storage system 10 and an anti-virus system 20; the storage system 10 and the anti-virus system 20 may be connected through a wired or wireless network.

The storage system 10 may include an anti-virus unit for sending a virus detection request to the anti-virus system 20 to trigger virus detection; the virus detection request may include the storage path of the target file or the content of the target file. For example, the storage system 10 may be a NAS storage system; the NAS storage system may include 1-n file systems (File Systems, FS) for storing and organizing data to determine corresponding files based on file path information. In some examples, the administrator can configure the anti-virus function in the storage system 10 in advance through a graphical management interface or a command-line interface (CLI); when it is necessary to perform virus detection on files in the storage system 10, the anti-virus function The virus unit may send a virus detection request to the anti-virus system 20 .

Among them, the anti-virus system 20 is used to perform virus detection and anti-virus processing on files. The anti-virus system 20 can be external to the storage system 10 or deployed inside the storage system 10, which is not limited. In some examples, the anti-virus system 20 can be configured with an anti-virus server (AV Server), which can also be called an anti-virus engine (AV Engine), which can perform virus detection through installed anti-virus software; if the storage system 10 sends The path of the target file is determined by the anti-virus server through file access protocols, such as Network File System (NFS) protocol, SMB protocol, Common Internet File System (CIFS) protocol, and Internet content adaptation. Protocol (Internet Content Adaptation Protocol, ICAP), etc., obtain the content of the target file from the storage system 10 according to the path of the target file, so as to perform virus detection; if the storage system 10 sends the content of the target file, the anti-virus server directly Conduct virus detection on the contents of the target file to determine whether there is a virus. In other examples, the anti-virus system 20 may also be configured with an anti-virus agent (Av Agent) to provide agent services for the anti-virus server to obtain information sent by the storage system 10 .

For example, this scenario may also include a client 30, which may be a Server Message Block (SMB) client (client); the user may send an operation access request to the storage system 10 through the client 30, thereby Perform operations such as opening, writing, saving, relation or reading on files in the storage system 10 .

In related technologies, when a user accesses a target file in the storage system 10, an online virus detection task for the target file is triggered, also known as real-time scanning (On-Access Scanning); or the administrator can configure a periodic (for example, Perform global or local anti-virus scanning on the files in the storage system 10 during idle periods such as early morning, triggering the storage system 10 to actively perform background virus detection tasks on the target files. Before triggering an online virus detection task on the target file or triggering the storage system 10 to actively perform a background virus detection task on the target file, the storage system 10 will send a request for virus detection on the target file to the anti-virus system 20 , and the anti-virus system 20 will receive it. After receiving the virus detection request, obtain the content of the target file (directly receive the content of the target file sent by the storage system 10, or obtain the content of the target file according to the path of the target file sent by the storage system 10), and perform the obtained target file The content is tested for viruses. Since a large number of files are usually stored in the storage system, when a virus detection task is triggered, the contents of the target files in the storage system 10 need to be transmitted to the anti-virus system 20 , thus consuming a large amount of network input output (IO) transmission bandwidth. and time, and the efficiency is low. In addition, when an online virus detection task is triggered, the user cannot open and access the target file until the anti-virus system 20 completes the virus detection on the target file, which will have a great impact on the read and write performance of the storage system 10 .

Considering that there are a large number of duplicate files among the massive files stored in the storage system 10, for example, files copied by disaster recovery features such as data copy, snapshot, clone, replication, etc., the contents of these duplicate files are exactly the same. If the duplicate files are confirmed through virus detection, A file within a file is considered safe, and the contents of another file within a duplicate file can also be considered safe. Repeat virus detection for other files in the duplicate files; in addition, after a file is confirmed to be virus-free through virus detection, if the content of the file has not changed, then the file content is still safe, and the file does not need to be repeatedly tested for viruses. Based on this, embodiments of the present application provide a virus detection method (see below for detailed description), which can skip file contents that have been virus tested and avoid sending duplicate file contents to The anti-virus system performs virus detection, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, the user can open the target file in time, improving the storage system 10 reading and writing performance.

It should be noted that the above application scenarios described in the embodiments of the present application are for the purpose of more clearly explaining the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. Those of ordinary skill in the art will know that In view of the emergence of other similar or new scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems. For example, the virus detection method described in this application is also applicable to other storage systems, such as object-based storage systems, distributed file systems (Distributed File System, HDFS), big data storage systems and other storage systems.

Taking the scenario shown in Figure 1 above as an example, the virus detection method provided by the embodiment of the present application will be described in detail below.

Figure 2 shows a flow chart of a virus detection method according to an embodiment of the present application. Illustratively, this method can be executed by the anti-virus unit in Figure 1 above. As shown in Figure 2, the method may include the following steps:

S201. Obtain historical virus detection information corresponding to the target file in the storage system.

For example, when a virus detection task is triggered, the historical information of virus detection corresponding to the target file in the storage system can be obtained; for example, when the user operates and accesses the target file in the storage system, online virus detection on the target file can be triggered. During the detection task, the anti-virus unit obtains the historical information of virus detection corresponding to the target file; for another example, when the storage system is triggered to actively perform a background virus detection task on the target file, the anti-virus unit obtains the historical information of virus detection corresponding to the target file. As an example, the storage system may be the storage system 10 shown in FIG. 1 above.

The historical information of virus detection corresponding to the target file can represent the information related to virus detection that the content of the target file has experienced; among which, the historical information of virus detection can include: whether it has experienced virus detection, the number of virus detections, the time of virus detection, and the execution of viruses At least one item of configuration information of the detected antivirus system.

Among them, whether the content of a file has experienced virus detection indicates whether the content of a file has experienced virus detection; for example, whether the content of a file has experienced virus detection indicates that the content of a file has experienced virus detection before the current moment and is determined to be free of viruses, and has not experienced virus detection indicates that a file has not experienced virus detection. 's content has not been tested for viruses before the current moment. The number of virus detections indicates the number of times the contents of a file have been tested for viruses. The virus detection time represents the time when the content of a file has undergone virus detection. For example, it can be the latest virus detection time, that is, the time when the content of the file has undergone virus detection for the latest time. The configuration information of the anti-virus system that performs virus detection represents the configuration information of the anti-virus system that performs virus detection when the content of a file undergoes virus detection. For example, it can be the configuration information of the anti-virus system that performs the latest virus detection; illustratively , the anti-virus system that performs virus detection may include anti-virus software, and the configuration information of the anti-virus system may be the version number of the anti-virus software.

For example, when the content of a file changes, such as writing new content or deleting part of the content in a file, or when a virus is detected in the content of a file, the virus corresponding to the file can be detected. The historical information is updated to the default value; as an example, the default value can include an item that has not experienced virus detection, the number of virus detections is 0, the virus detection time is empty, or the configuration information of the anti-virus system that performs virus detection is empty or multiple items.

In a possible implementation manner, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file. That is, the target file metadata can record whether the content of the target file has experienced virus detection, the number of times the content of the target file has experienced virus detection, the time when the content of the target file has experienced virus detection, and virus detection is performed when the content of the target file has experienced virus detection. At least one item of configuration information of the anti-virus system. For example, the anti-virus unit may read the historical information of virus detection corresponding to the target file in the metadata of the target file.

As an example, take the historical information of virus detection in the target file metadata including whether the content of the target file has experienced virus detection. For example, when the content of the target file has undergone virus detection and is confirmed to be free of viruses, a "scanned" mark can be recorded in the target file metadata to indicate that the content of the target file has experienced virus detection; if the content of the target file has If there is a risk of being invaded by a virus, the "scanned" mark will be cleared in the target file metadata, thereby indicating that the content of the modified target file has not undergone virus detection.

As another example, take the historical information of virus detection in the target file metadata including the time when the content of the target file experienced virus detection. For example, when the content of the target file undergoes virus detection and is confirmed to be free of viruses, the time of the virus detection can be recorded in the target file metadata; if the content of the target file undergoes virus detection again and is confirmed to be virus-free, the time of virus detection can be recorded in the target file metadata. The virus detection time updates the virus detection time recorded in the target file metadata.

As another example, take the historical information of virus detection in the target file metadata including the configuration information of the anti-virus system that performs virus detection when the content of the target file undergoes virus detection. For example, when the content of the target file has been tested for viruses and it is confirmed that there is no virus, the version number of the anti-virus software that performed the virus detection can be recorded in the target file metadata; if the content of the target file has been tested for viruses again and it is confirmed that there is no virus, After a virus is detected, the version number of the anti-virus software recorded in the target file metadata can be updated according to the version number of the anti-virus software that performs the virus detection.

As another example, take the historical information of virus detection in the target file metadata including the number of times the content of the target file has experienced virus detection. For example, every time the content of the target file is tested for a virus and it is confirmed that there is no virus, the number of virus detections recorded in the historical information of virus detection corresponding to the target file can be increased by 1.

As another example, take the historical information of virus detection in the target file metadata including whether the content of the target file has experienced virus detection and the time at which the content of the target file has experienced virus detection. When the target file has been tested for viruses and is confirmed to be free of viruses, a "scanned" mark and the time of this virus detection can be recorded in the target file metadata.

As another example, the history information of virus detection in the target file metadata may include whether the content of the target file has experienced virus detection, the time when the content of the target file has experienced virus detection, and the virus detection was performed when the content of the target file has experienced virus detection. Configuration information of the anti-virus system; when the target file has been tested for viruses and is confirmed to be free of viruses, the "scanned" mark, the time of this virus detection, and the time when this virus detection was performed can be recorded in the target file metadata. Antivirus system configuration information.

In a possible implementation, the historical information of virus detection corresponding to the target file may include historical information of virus detection corresponding to the file fingerprint of the target file in the index database; for example, the anti-virus unit may query in the index database Historical information about virus detections corresponding to the target file's target file fingerprint.

The index database includes at least one file fingerprint and historical information of virus detection corresponding to the at least one file fingerprint. The at least one file fingerprint is associated with one or more files in the storage system. The virus corresponding to the at least one file fingerprint The detected historical information includes the latest historical information among the virus detected historical information corresponding to each file associated with the at least one file fingerprint.

As an example, for a target file, when the target file is created in the storage system and the content is written, when the target file is closed, the file fingerprint of the target file can be calculated based on the content of the target file; where the file fingerprint can be calculated through the existing file Fingerprints are obtained. For example, the file fingerprint of the target file may be recorded in the metadata of the target file. In this way, by traversing each file in the storage system, the file fingerprint of each file can be obtained; then by summarizing the file fingerprints of each file, multiple different file fingerprints can be obtained; among them, files with the same content have the same file fingerprint, and files with different content have the same file fingerprint. The file fingerprints are different. Further, for any file fingerprint, the historical information of virus detection corresponding to each file associated with the file fingerprint is summarized, so that the latest historical information among the historical information of virus detection corresponding to each associated file is used as the file fingerprint. The corresponding historical information of virus detection; finally insert the file fingerprint as the key into the index database (key) index record (that is, the historical information of virus detection corresponding to the file fingerprint), thereby establishing an index database; the index database can record whether it has experienced virus detection, the number of virus detections, the time of virus detection, and the time when virus detection was performed. At least one item of configuration information for the antivirus system.

For example, Figure 3 shows a schematic diagram of an index database according to an embodiment of the present application. As shown in Figure 3, the index database can include multiple file fingerprints, namely file fingerprint 1, file fingerprint 2, and file fingerprint 3...File fingerprint n; wherein, the historical information of virus detection corresponding to each file fingerprint may include whether the file content corresponding to the file fingerprint has experienced virus detection, the time when the file content corresponding to the file fingerprint has experienced virus detection, the file fingerprint The version number of the anti-virus software that performs virus detection when the corresponding file content undergoes virus detection. For example, the historical information of virus detection corresponding to file fingerprint 1 in Figure 3 includes: having experienced virus detection, the virus detection time is T1, and the version number of the anti-virus software that performs virus detection is P1; for another example, the virus detection corresponding to file fingerprint 3 The historical information includes: no virus detection has been performed, the virus detection time is empty, and the version number of the anti-virus software that performs virus detection is empty.

For example, if the content of a certain file in the storage system changes, for example, after the content of a certain file is added, deleted, rewritten, etc., the file fingerprint of the file will change, the file fingerprint of the file will be recalculated. Fingerprint. For another example, if the content of a certain file has been tested for viruses and it is determined that a virus exists, the content of the file will also change after anti-virus processing, and the file fingerprint of the file will be recalculated; or if there is a new file in the storage system file, you can calculate the file fingerprint of the newly created file. Then, the historical information of virus detection corresponding to the latest file fingerprint in the index database can be updated; if the latest file fingerprint is not found in the index database, an index with the latest file fingerprint as the key can be inserted into the index database. Record.

For example, for any file fingerprint, the information about whether the content of each file associated with the file fingerprint has experienced virus detection can be determined based on the information about whether the content of each file associated with the file fingerprint has experienced virus detection. If the associated files The content of any file in the file has experienced virus detection, that is, the latest information about whether it has experienced virus detection is that it has experienced virus detection, then the historical virus detection information corresponding to the fingerprint of the file includes the information that has experienced virus detection; for example, you can Add a "scanned" mark to the index record corresponding to the fingerprint of the file in the index database; if the contents of each associated file have not experienced virus detection, the historical information of virus detection corresponding to the fingerprint of the file includes "scanned" virus testing information. For example, for any file fingerprint, the latest virus detection time can be selected from the virus detection times corresponding to each file associated with the file fingerprint as the virus detection time corresponding to the file fingerprint. For example, for any file fingerprint, the configuration information of the latest anti-virus system among the configuration information of the anti-virus system that performs virus detection corresponding to each file associated with the file fingerprint can be selected as the configuration information corresponding to the file fingerprint. Configuration information of the anti-virus system that performs virus detection; for example, the latest anti-virus software version number among the anti-virus software version numbers that perform virus detection corresponding to each file associated with the file fingerprint can be used as the anti-virus software version number that performs virus detection corresponding to the file fingerprint. The version number of the anti-virus software.

For example, Figure 4 shows a schematic diagram of historical information of virus detection corresponding to file fingerprint 1 according to an embodiment of the present application. As shown in Figure 4, file B and file C in the storage system are data copies of file A. For new files obtained by operations such as snapshots, cloning or copying, the contents of file A, file B and file C are all the same. The file fingerprints of file A, file B and file C are the same and are all file fingerprint 1, that is , File fingerprint 1 is associated with file A, file B, and file C in the storage system. The historical information of virus detection corresponding to file A includes that the content of file A has experienced virus detection, the virus detection time is 15:00 on January 1, 2022, and the anti-virus software version number is p1; the historical information of virus detection corresponding to file B is file The content of B has experienced virus detection, the virus detection time is 13:00 on January 1, 2022, and the anti-virus software version number is p2; the historical information of virus detection corresponding to file C is that the content of file C has not experienced virus detection, virus detection The time is empty and the anti-virus software version number is empty. Since the contents of file A and file B have experienced virus detection, that is, the latest information about whether they have experienced virus detection is virus detection, it can be determined that the virus detection history information corresponding to file fingerprint 1 includes information about virus detection; file The virus detection time corresponding to file A is later than the virus detection time corresponding to file B. time, that is, the latest virus detection time is the virus detection time corresponding to file A, then it can be determined that the virus detection time corresponding to file fingerprint 1 is 15:00 on January 1, 2022; the anti-virus software version number p1 corresponding to file A is relative to the file The anti-virus software version number p2 corresponding to B is updated, that is, the latest anti-virus software version number that performs virus detection is p1, then it can be determined that the anti-virus software version number corresponding to file fingerprint 1 is p1.

In a possible implementation, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the target file metadata and the historical information of virus detection corresponding to the file fingerprint of the target file in the index database.

The types of the historical virus detection information in the target file metadata and the historical virus detection information corresponding to the file fingerprint of the target file in the index database may be the same or different, and are not limited to this. For example, the historical information of virus detection in the target file metadata can include whether it has experienced virus detection, and the historical information of virus detection corresponding to the file fingerprint of the target file can include the virus detection time; for another example, the virus detection in the target file metadata The historical information of the file may include whether it has experienced virus detection, and the historical information of virus detection corresponding to the file fingerprint of the target file may include whether it has experienced virus detection.

S202. Determine whether to perform virus detection on the target file according to the historical information of virus detection corresponding to the target file.

For example, if the historical information of virus detection corresponding to the target file satisfies the preset conditions, it may be determined not to perform virus detection on the target file; if the historical information of virus detection corresponding to the target file does not meet the preset conditions, Confirm that the target file is checked for viruses.

As an example, taking the historical information of virus detection corresponding to the target file including whether it has experienced virus detection, the corresponding preset condition may include that the content of the target file has experienced virus detection. For example, if there is a "scanned" mark in the historical information of virus detection corresponding to the target file, indicating that the content of the target file has undergone virus detection, it is determined that the target file will not be virus detected; if the historical information of virus detection corresponding to the target file If there is no "scanned" mark in the file, it means that the target file has been detected for viruses.

As another example, taking the historical information of virus detection corresponding to the target file including the time of virus detection, the corresponding preset condition may include that the interval between the virus detection time and the current moment in the historical information of virus detection corresponding to the target file has not exceeded Preset time interval. If the interval between the virus detection time and the current time in the historical information of virus detection corresponding to the target file does not exceed the preset time interval, it is determined not to perform virus detection on the target file; if the virus detection time in the historical information of virus detection corresponding to the target file is different from the current time. If the time interval exceeds the preset time interval, and the content of the target file is at risk of being infected with a virus, it is determined to perform virus detection on the target file; the value of the preset time interval can be set as needed, and there is no limit to this.

As another example, taking the historical information of virus detection corresponding to the target file as including the number of virus detections, the corresponding preset condition may include that the number of virus detections in the historical information of virus detection corresponding to the target file does not exceed the preset number of detections. . If the number of virus detections in the historical information of virus detection corresponding to the target file has reached the preset number of detections, it is determined not to perform virus detection on the target file; if the number of virus detections in the historical information of virus detection corresponding to the target file has not reached the preset number of detections, Then it is determined to perform virus detection on the target file; wherein, the value of the preset number of detections can be set as needed and is not limited.

As another example, take the historical information of virus detection corresponding to the target file including the configuration information of the anti-virus system that performs virus detection. The corresponding preset conditions may include the configuration information of the anti-virus system that performs virus detection and the target anti-virus. The configuration information of the system (that is, the anti-virus system currently performing virus detection) is the same. For example, if the version number of the anti-virus software in the historical information of virus detection corresponding to the target file is the same as the version number of the anti-virus software currently performing virus detection, the target file can be skipped and no virus detection will be performed on the target file; if the virus corresponding to the target file If the version number of the anti-virus software in the detected historical information is different from the version number of the anti-virus software currently performing virus detection (for example, the anti-virus software is updated and the version number of the anti-virus software changes), then it is determined that the target file is to be tested for viruses.

As another example, taking the historical information of virus detection corresponding to the target file including whether it has experienced virus detection and the virus detection time, the corresponding preset conditions can be that the content of the target file has experienced virus detection, and the virus corresponding to the target file The interval between the virus detection time and the current time in the detection history information does not exceed the preset time interval. For example, if there is a "scanned" mark in the historical information of virus detection corresponding to the target file and the interval between the virus detection time and the current time in the historical information of virus detection corresponding to the target file does not exceed the preset time interval, it is determined that the target file is not used. The file is checked for viruses; otherwise, the target file is determined to be checked for viruses.

As another example, take the historical information of virus detection corresponding to the target file including whether it has experienced virus detection, the time of virus detection, and the configuration information of the anti-virus system that performs virus detection; the corresponding preset condition can be the content of the target file. The interval between the virus detection time and the current time in the historical information of virus detection and virus detection corresponding to the target file does not exceed the preset time interval, and the configuration information of the anti-virus system that performs virus detection is the same as the configuration information of the target anti-virus system. For example, if there is a "scanned" mark in the historical information of virus detection corresponding to the target file, the interval between the virus detection time and the current time in the historical information of virus detection corresponding to the target file does not exceed the preset time interval, and the target file corresponds to If the version number of the anti-virus software in the historical information of virus detection is the same as the version number of the anti-virus software currently performing virus detection, it is determined not to perform virus detection on the target file; otherwise, it is determined to perform virus detection on the target file.

S203. When it is determined that virus detection is to be performed on the target file, send a request to perform virus detection on the target file to the target anti-virus system.

For example, the storage system may be connected wirelessly or wiredly to one or more anti-virus systems, and may send a request to perform virus detection on the target file to the target anti-virus system if it is determined that the target file is to be virus-detected. As an example, the target anti-virus system may be the anti-virus system 20 in Figure 1 mentioned above.

For example, the virus detection request may also include the path of the target file or the content of the target file, so that the target anti-virus system can perform virus detection on the target file. For example, when it is determined that the target file is subject to virus detection, the anti-virus unit can send the path of the target file to the target anti-virus system, and the target anti-virus system obtains the target file from the storage system through the file access protocol based on the path of the target file. Virus detection is then performed after the content of the target file is detected to determine whether there is a virus in the content of the target file; for another example, the anti-virus unit can send the content of the target file to the target anti-virus system, and the target anti-virus system directly checks the received target file. Conduct virus detection on the content of the target file to determine whether there is a virus in the content of the target file.

For example, if it is determined that virus detection is not to be performed on the target file, virus detection on the target file may be skipped. For example, when triggering an online virus detection task, if it is determined that the target file is not to be detected for viruses, the user can be directly allowed to operate on the target file.

In a possible implementation, after executing the above step S203, the results of virus detection on the target file fed back by the target anti-virus system can also be obtained; and based on the virus detection results, the history of virus detection corresponding to the target file is updated. information. This way, when the virus detection task is triggered next time, it is determined whether to perform virus detection on the target file based on the latest virus detection history information.

As an example, if there is no "scanned" mark in the virus detection history information corresponding to the target file; if the target anti-virus system performs virus detection on the target file and the target anti-virus system confirms that the target file does not have viruses, it can report to the anti-virus system. The virus unit reports that the target file does not contain viruses; the anti-virus unit can add a "scanned" mark to the historical virus detection information corresponding to the target file. If there is a "scanned" mark in the virus detection history information corresponding to the target file; if the target anti-virus system performs virus detection on the target file and the target anti-virus system confirms that the target file has a virus, the target file can be disinfected ( For example, part or all of the content in the target file is deleted, isolated, etc.), and the target file is fed back to the anti-virus unit that the target file contains viruses. Since the content of the target file changes after the anti-virus process, the anti-virus unit can detect the virus in the target file after the anti-virus unit. Delete the "scanned" mark from the corresponding virus detection history information.

As another example, if the target anti-virus system performs virus detection on the target file and the target anti-virus system confirms that the target file does not have a virus, it can feedback to the anti-virus unit that the target file does not have a virus and the time of this virus detection, and the anti-virus unit can Update the virus detection time in the historical information of virus detection corresponding to the target file to the current virus detection time. If the target anti-virus system performs virus detection on the target file and confirms that the target file has a virus, it can disinfect the target file and feedback to the anti-virus unit that the target file has a virus. The anti-virus unit can then match the target file with the virus. The virus detection time in the virus detection history information is updated to the default value.

As another example, if the target anti-virus system performs virus detection on the target file and the target anti-virus system confirms that the target file does not have viruses, it can feedback to the anti-virus unit that the target file does not have viruses and the version of the anti-virus software that performed this virus detection. number; the anti-virus unit can update the version number of the anti-virus software that performs virus detection in the historical information of virus detection corresponding to the target file to the version number of the anti-virus software used for this virus detection. If the target anti-virus system performs virus detection on the target file and confirms that the target file has a virus, it can disinfect the target file and feedback to the anti-virus unit that the target file has a virus. The anti-virus unit can then match the target file to The version number of the anti-virus software that performs virus detection in the virus detection history information is updated to the default value.

In the embodiment of the present application, the historical information of virus detection corresponding to the target file can represent the relevant information of virus detection experienced by the content of the target file; determining whether to perform virus detection on the target file can be based on the historical information of virus detection corresponding to the target file. On the premise of ensuring data security, it avoids repeated virus detection on file contents that have been virus tested, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when triggering online virus detection tasks At this time, the user can open the target file in time, which improves the read and write performance of the storage system.

The virus detection method in the embodiment of the present application will be described below by taking the historical information of virus detection corresponding to the target file, including the historical information of virus detection in the metadata of the target file, as an example.

Figure 5 shows a flow chart of a virus detection method according to an embodiment of the present application. By way of example, the method may be executed by the anti-virus unit in Figure 1 described above. As shown in Figure 5, the virus detection method includes:

S501. In the target file metadata, read the historical information of virus detection corresponding to the target file.

The specific description of the target file metadata may refer to the relevant expressions in step 201 in Figure 2 above.

S502: Determine whether to perform virus detection on the target file according to the historical information of virus detection corresponding to the target file.

For example, if the historical information of virus detection in the target file metadata satisfies the preset conditions, it may be determined not to perform virus detection on the target file; if the historical information of virus detection corresponding to the target file does not meet the preset conditions. Next, confirm to perform virus detection on the target file.

For the specific implementation process of this step, reference can be made to the relevant expressions in step S202 in Figure 2 above, which will not be described again here.

S503. When it is determined that virus detection is to be performed on the target file, send a request to perform virus detection on the target file to the target anti-virus system.

For the specific implementation process of this step, reference can be made to the relevant expressions of step S203 in Figure 2 above, which will not be described again here.

In a possible implementation, after executing the above step S503, the result of virus detection on the target file fed back by the target anti-virus system can also be obtained; and based on the result of virus detection, the virus in the metadata of the target file can be updated. Detection history information. For example, after the target anti-virus system performs virus detection on the target file, one or more items of whether there is a virus in the target file, the time of the virus detection, or the configuration information of the target anti-virus system can be fed back to the anti-virus unit. , the anti-virus unit updates the historical information of virus detection in the target file metadata based on the feedback information.

In this way, through the above steps S501-S503, the historical information of virus detection in the target file metadata is read, and the historical information of virus detection corresponding to the target file is quickly obtained; considering that after a file has been virus tested and confirmed to be virus-free, if If the content of the file has not changed, then the content of the file is still safe, and the file does not need to be repeatedly tested for viruses; therefore, it is determined whether to perform virus testing on the target file based on the historical information of virus detection in the metadata of the target file. Testing can avoid repeated virus testing on file contents that have already undergone virus testing on the premise of ensuring data security, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when triggering online During virus detection tasks, users can open target files in time, which improves the read and write performance of the storage system.

As an example, take the historical information of virus detection in the target file metadata including whether the content of the target file has experienced virus detection. Whether the content of the target file has experienced virus detection can be read in the target file metadata. For example, you can read whether there is a "scanned" mark in the target file metadata to determine whether the content of the target file has experienced virus detection. If there is no "scanned" mark in the metadata of the target file, it means that the content of the target file has not experienced virus detection, then it is determined to perform virus detection on the target file, and a request to perform virus detection on the target file is sent to the target anti-virus system. If there is a "scanned" mark in the metadata of the target file, it means that the content of the target file has been tested for viruses and confirmed to be virus-free, and it is determined that the target file will not be tested for viruses.

As another example, take the historical information of virus detection in the target file metadata including the virus detection time experienced by the content of the target file. The virus detection time experienced by the content of the target file can be read in the target file metadata. If the interval between the virus detection time experienced by the content of the target file and the current moment exceeds the preset time interval, it is determined that the target file will be infected with viruses. detection, and sends a request to the target antivirus system to perform virus detection on the target file. If the interval between the virus detection time experienced by the content of the target file and the current moment does not exceed the preset time interval, it can be determined that the target file will not be virus detected.

As another example, take the historical information of virus detection in the target file metadata including the configuration information of the anti-virus system that performs virus detection when the content of the target file undergoes virus detection. The configuration information of the anti-virus system that performs virus detection can be read in the target file metadata. If the configuration information of the anti-virus system that performs virus detection is different from the configuration information of the target anti-virus system, it is determined to perform virus detection on the target file. and sends a request to the target antivirus system to perform virus detection on the target file. If the configuration information of the anti-virus system that performs virus detection is the same as the configuration information of the target anti-virus system, it can be determined that the target file will not be detected for viruses.

As another example, the historical information of virus detection in the target file metadata includes whether the content of the target file has experienced virus detection, the time when the content of the target file has experienced virus detection, and the prevention method of performing virus detection when the content of the target file has experienced virus detection. Take the configuration information of the virus system as an example. Whether the target file has experienced virus detection, virus detection time, and the configuration information of the anti-virus system that performs virus detection can be read in the target file metadata; for example, you can read whether there is a "scanned" mark in the target file metadata. , the time when the content of the target file last experienced virus detection, the configuration information of the anti-virus system that performed the latest virus detection, if there is a "scanned" mark in the metadata of the target file, the time when the content of the target file last experienced virus detection If the interval between the time and the current moment does not exceed the preset time interval, and the configuration information of the anti-virus system that performs the latest virus detection is the same as the configuration information of the target anti-virus system, it is determined that the target file will not be tested for viruses; otherwise, it is determined that the target file will not be tested for viruses. The file is checked for viruses and a request is sent to the target antivirus system to check the target file for viruses.

The virus detection method in the embodiment of the present application will be described below by taking the historical information of virus detection corresponding to the target file including the historical information of virus detection corresponding to the file fingerprint of the target file in the index database as an example.

Figure 6 shows a flow chart of a virus detection method according to an embodiment of the present application. By way of example, the method may be executed by the anti-virus unit in Figure 1 described above. As shown in Figure 6, the virus detection method includes:

S601. Determine the target file fingerprint of the target file;

As an example, the target file fingerprint of the target file can be read in the target file metadata;

As another example, a target file's target file fingerprint can be calculated based on the content in the target file. The method of calculating the fingerprint of the target file can use existing technology, which will not be described again here; for example, a hash code can be used to generate the fingerprint of the target file.

S602. According to the fingerprint of the target file, select the historical information of virus detection corresponding to the fingerprint of the target file in the index database.

For the specific description of the index database, please refer to the relevant expressions in step 201 in Figure 2 above.

For example, the fingerprint of the target file can be used as a key to perform a query in the index database to obtain the historical information of virus detection corresponding to the fingerprint of the target file.

For example, if the target file fingerprint is used as the key to query in the index database, and the historical information of virus detection corresponding to the target file fingerprint is not queried, an index record with the target file fingerprint as the key can be inserted into the index database. The historical information of virus detection corresponding to the fingerprint of the target file in the index record is set to the default value.

S603. Determine whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the fingerprint of the target file.

For example, when the historical information of virus detection corresponding to the fingerprint of the target file satisfies the preset conditions, it may be determined not to perform virus detection on the target file; when the historical information of virus detection corresponding to the fingerprint of the target file does not meet the preset conditions. Next, confirm to perform virus detection on the target file.

For the specific implementation process of this step, reference can be made to the relevant expressions of step S202 in Figure 2 above, which will not be described again here.

S604. When it is determined that virus detection is to be performed on the target file, send a request to perform virus detection on the target file to the target anti-virus system.

In a possible implementation, after executing the above step S604, the result of virus detection on the target file fed back by the target anti-virus system can also be obtained; and based on the result of virus detection, the index database and the target file can be updated. Historical information of virus detection corresponding to file fingerprints. For example, after the target anti-virus system performs virus detection on the target file, one or more items of whether there is a virus in the target file, the time of the virus detection, or the configuration information of the target anti-virus system can be fed back to the anti-virus unit. , the anti-virus unit updates the historical information of virus detection corresponding to the fingerprint of the target file in the index database based on the feedback information.

In this way, through the above steps S601-S604, the historical information of virus detection corresponding to the target file fingerprint is queried in the index database; considering that the target file fingerprint is associated with one or more files in the storage system, that is, the one or more files The contents are exactly the same. If any one of the one or more files is confirmed to be safe through virus detection, the contents of other files can also be considered safe, and virus detection does not need to be repeated for other files; therefore, according to the target The historical virus detection information corresponding to the file fingerprint determines whether to perform virus detection on the target file. This can avoid repeated virus detection on file contents that have already undergone virus detection while ensuring data security, thereby saving network bandwidth overhead and saving money. It shortens virus detection time and improves virus detection efficiency; in addition, when an online virus detection task is triggered, users can open the target file in time, improving the read and write performance of the storage system.

As an example, take the historical information of virus detection corresponding to the fingerprint of the target file in the index database, including whether it has experienced virus detection; for example, you can use the fingerprint of the target file as the key to query in the index database to obtain the fingerprint corresponding to the target file. Whether there is a "scanned" mark in the history information of virus detection to determine whether the content of the target file has undergone virus detection. If there is no "scanned" mark in the historical virus detection information corresponding to the fingerprint of the target file in the index database, it means that the content of the target file has not experienced virus detection. Then it is determined to perform virus detection on the target file and report it to the target anti-virus system. Sends a request for virus detection of the target file. If there is a "scanned" mark in the historical virus detection information corresponding to the fingerprint of the target file in the index database, it means that the content of the target file has been tested for viruses and confirmed to be free of viruses, and it is determined that the target file will not be tested for viruses.

As an example, take the historical information of virus detection corresponding to the fingerprint of the target file in the index database, including the time of virus detection; for example, you can query the index database using the fingerprint of the target file as the key to obtain the virus detection corresponding to the fingerprint of the target file. time; if the interval between the virus detection time corresponding to the target file fingerprint and the current time exceeds the preset time interval, determine to perform virus detection on the target file, and send a request to perform virus detection on the target file to the target anti-virus system. If the interval between the virus detection time corresponding to the fingerprint of the target file and the current time does not exceed the preset time interval, it is determined that the target file will not be tested for viruses.

As another example, take the historical information of virus detection corresponding to the target file fingerprint in the index database, including the configuration information of the anti-virus system that performs virus detection; for example, the target file fingerprint can be used as the key to query in the index database, Obtain the configuration information of the anti-virus system that performs virus detection corresponding to the fingerprint of the target file. If the configuration information of the anti-virus system that performs virus detection corresponding to the fingerprint of the target file is different from the configuration information of the target anti-virus system, it is determined that the target file should be infected with viruses. detection, and sends a request to the target antivirus system to perform virus detection on the target file. If the configuration information of the anti-virus system that performs virus detection corresponding to the fingerprint of the target file is the same as the configuration information of the target anti-virus system, it can be determined that the target file will not be detected for viruses.

As another example, take the historical information of virus detection corresponding to the fingerprint of the target file in the index database, including whether it has experienced virus detection, the time of virus detection, and the configuration information of the anti-virus system that performs virus detection; for example, the target file can be The fingerprint is the key to query in the index database to obtain whether there is a "scanned" mark in the historical information of virus detection corresponding to the fingerprint of the target file, the virus detection time corresponding to the fingerprint of the target file, and the anti-virus detection time corresponding to the fingerprint of the target file. Configuration information of the virus system; if the historical information of virus detection corresponding to the target file fingerprint has a "scanned" mark, the interval between the virus detection time corresponding to the target file fingerprint and the current time does not exceed the preset time interval, and the target file fingerprint If the corresponding configuration information of the anti-virus system that performs virus detection is the same as the configuration information of the target anti-virus system, then it is determined not to perform virus detection on the target file; otherwise, it is determined to perform virus detection on the target file, and the target file is sent to the target anti-virus system. File virus detection request.

The following takes the historical information of virus detection corresponding to the target file, including the historical information of virus detection in the metadata of the target file, and the historical information of virus detection corresponding to the file fingerprint of the target file in the index database as an example. In the embodiment of the present application, Virus detection methods are explained.

Figure 7 shows a flow chart of a virus detection method according to an embodiment of the present application. Illustratively, this method can be executed by the anti-virus unit in Figure 1 above. As shown in Figure 7, the virus detection method includes:

S701. In the target file metadata, read the historical information of virus detection corresponding to the target file.

This step is the same as the above-mentioned step S501 in Figure 5 and will not be described again.

S702. When the historical information of virus detection in the target file metadata does not meet the first preset condition, determine the target file fingerprint of the target file.

The method of determining the target file fingerprint of the target file may refer to the relevant expressions in step S601 in FIG. 6 above.

In a possible implementation, the target file fingerprint of the target file can also be determined when the historical information of virus detection in the target file metadata satisfies the first preset condition. For example, the target file may not have undergone virus detection for a long time. In order to further ensure data security, the target file fingerprint can still be determined when the "scanned" mark is recorded in the metadata, so as to further determine whether the target file has been detected. Get tested for viruses.

For the first preset condition, reference may be made to the relevant expressions of the "preset condition" in step S202 of FIG. 2 , which will not be described again here.

As an example, the first preset condition may be that there is a "scanned" mark in the target file's metadata. If there is a "scanned" mark in the target file's metadata, it means that the target file has been tested for viruses and is confirmed to be free of viruses. , the target file does not need to be virus detected; if there is no "scanned" mark in the target file metadata, the target file fingerprint is read in the target file metadata.

As another example, the first preset condition may be that the number of virus detections recorded in the metadata of the target file reaches the preset number of detections. If the number of virus detections recorded in the metadata of the target file reaches the preset number of detections, the target file may not be detected. Perform virus detection on the file; if the number of virus detections recorded in the target file metadata does not reach the preset number of detections, the target file fingerprint can be read in the target file metadata.

As another example, the first preset condition may be that the interval between the virus detection time recorded in the target file metadata and the current time does not exceed the preset time interval. If the interval between the virus detection time recorded in the target file metadata and the current time is If the preset time interval is not exceeded, the target file does not need to be virus detected; if the interval between the virus detection time recorded in the target file metadata and the current time exceeds the preset time interval, read the target file fingerprint in the target file metadata. .

As another example, the first preset condition may be that the configuration information of the anti-virus system that performs virus detection recorded in the target file metadata is the same as the configuration information of the target anti-virus system. If the configuration information of the anti-virus system that performs virus detection recorded in the target file metadata If the configuration information of the anti-virus system is the same as the configuration information of the target anti-virus system, the target file does not need to be virus detected; if the configuration information of the anti-virus system that performs virus detection recorded in the target file metadata is different from the configuration information of the target anti-virus system If the information is different, read the target file fingerprint in the target file metadata.

As another example, the first preset condition may be that there is a "scanned" mark in the target file metadata, the interval between the virus detection time recorded in the target file metadata and the current moment does not exceed a preset time interval, and the target file The configuration information of the anti-virus system that performs virus detection recorded in the metadata is the same as the configuration information of the target anti-virus system. If there is a "scanned" mark in the target file metadata, and the interval between the recorded virus detection time and the current time is not If the preset time interval exceeds and the configuration information of the anti-virus system that performs virus detection is the same as the configuration information of the target anti-virus system, the target file does not need to be virus detected; otherwise, the target file is read in the target file metadata fingerprint.

S703. According to the target file fingerprint, select historical virus detection information corresponding to the target file fingerprint in the index database.

This step is the same as step S602 in FIG. 6 and will not be described again.

S704. When the historical information of virus detection corresponding to the fingerprint of the target file does not meet the second preset condition, determine to perform virus detection on the target file.

For the second preset condition, reference may be made to the relevant expressions of the "preset condition" in step S202 in FIG. 2 , which will not be described again here.

In a possible implementation, when the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition, it is determined not to perform virus detection on the target file, and the history of virus detection in the metadata of the target file is updated. information.

For example, the historical information of virus detection in the target file metadata may be updated according to the historical information of virus detection corresponding to the fingerprint of the target file. For example, if there is no "scanned" mark in the metadata of the target file, but there is a "scanned" mark in the historical virus detection information corresponding to the fingerprint of the target file, you can add "scanned" to the metadata of the target file. " mark. For another example, the virus detection time recorded in the metadata of the target file can be updated to the virus detection time corresponding to the fingerprint of the target file. If the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition, indicating that the file content corresponding to the fingerprint of the target file has experienced virus detection and has no virus, that is, the content of the target file has experienced virus detection and has no virus, then the target file can be updated. The historical information of virus detection in the metadata, thereby ensuring that the historical information of virus detection in the target file metadata is the latest historical information of virus detection, so that the next time the virus detection task is triggered, the virus detection in the target file metadata can be passed. Historical information can be used to quickly determine whether the target file needs to be tested for viruses, or whether the target file fingerprint needs to be obtained.

S705. When it is determined that the target file is to be detected for viruses, send a request to the target anti-virus system for virus detection on the target file.

In a possible implementation, after executing the above step S705, feedback from the target anti-virus system can also be obtained. The result of virus detection on the target file; and based on the result of virus detection, update the historical information of virus detection in the metadata of the target file, and the historical information of virus detection corresponding to the file fingerprint of the target file in the index database.

In this way, through the above steps S701-S705, it is determined whether to perform virus detection on the target file based on the historical information of virus detection in the target file metadata and the historical information of virus detection corresponding to the fingerprint of the target file in the index database, which can ensure data security. Under the premise, repeated virus detection is avoided on file contents that have already undergone virus detection, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, users can promptly Opening the target file improves the read and write performance of the storage system.

As an example, take the history information of virus detection including whether it has experienced virus detection. For example, you can read whether there is a "scanned" mark in the target file metadata. If there is no "scanned" mark in the target file metadata, determine the target file fingerprint of the target file, and select the target file in the index library. Information about whether the fingerprint corresponds to virus detection; if there is no "scanned" mark in the historical virus detection information corresponding to the fingerprint of the target file in the index database, it is determined that the target file will be virus detected and sent to the target anti-virus system A request to perform virus detection on the target file. If there is a "scanned" mark in the historical virus detection information corresponding to the fingerprint of the target file in the index database, it means that the content of the target file has been tested for viruses and confirmed to be free of viruses, and it is determined that the target file will not be tested for viruses; further, A "scanned" flag can be added to the target file metadata.

As another example, take the historical information of virus detection including the time of virus detection. The virus detection time experienced by the content of the target file can be read in the target file metadata. If the interval between the virus detection time recorded in the metadata and the current moment exceeds the preset time interval, the target file fingerprint is determined and indexed Select the virus detection time corresponding to the fingerprint of the target file from the library. If the interval between the virus detection time corresponding to the fingerprint of the target file and the current time exceeds the preset time interval, it is determined to perform virus detection on the target file and send the target file to the target anti-virus system. A request to perform virus detection on the target file. If the interval between the virus detection time corresponding to the target file fingerprint and the current time does not exceed the preset time interval, it can be determined that the target file will not be virus detected; further, the target file metadata can be updated according to the virus detection time corresponding to the target file fingerprint. Recorded virus detection time.

As another example, take historical information of virus detection including configuration information of an anti-virus system that performs virus detection. The configuration information of the anti-virus system that performs virus detection can be read in the target file metadata. If the configuration information of the anti-virus system that performs virus detection recorded in the target file metadata is different from the configuration information of the target anti-virus system, then OK Target file fingerprint, and select the configuration information of the anti-virus system that performs virus detection corresponding to the target file fingerprint in the index database. If the configuration information of the anti-virus system for virus detection corresponding to the target file fingerprint is different from the configuration information of the target anti-virus system , then it is determined to perform virus detection on the target file, and a request for virus detection on the target file is sent to the target anti-virus system. If the configuration information of the anti-virus system that performs virus detection corresponding to the fingerprint of the target file is the same as the configuration information of the target anti-virus system, it can be determined that the target file will not be detected for viruses; further, the anti-virus system that performs virus detection corresponding to the fingerprint of the target file can be determined. The configuration information of the anti-virus system updates the configuration information of the anti-virus system that performs virus detection recorded in the target file metadata.

As another example, take the historical information of virus detection including whether it has experienced virus detection, the time of virus detection, and the configuration information of the anti-virus system that performs virus detection. You can read in the target file metadata whether it has experienced virus detection, the virus detection time, and the configuration information of the anti-virus system that performs virus detection; if there is a "scanned" mark in the target file metadata, the time of virus detection and the current If the time interval does not exceed the preset time interval or the configuration information of the anti-virus system that performs virus detection is the same as the configuration information of the target anti-virus system, determine the fingerprint of the target file and select the target file in the index library. The fingerprint corresponds to the information about whether it has experienced virus detection, the virus detection time and the configuration information of the anti-virus system that performs virus detection. If the virus detection information corresponding to the fingerprint of the target file has a "scanned" mark, the corresponding virus detection The interval between time and the current moment does not exceed the preset time interval or the corresponding execution error If the configuration information of the anti-virus system for virus detection is the same as the configuration information of the target anti-virus system and any one of them is not satisfied, then it is determined to perform virus detection on the target file and a request to perform virus detection on the target file is sent to the target anti-virus system. If the virus detection information corresponding to the target file fingerprint has a "scanned" mark, the interval between the corresponding virus detection time and the current time does not exceed the preset time interval, and the corresponding configuration information of the antivirus system that performs virus detection is the same as If the configuration information of the target anti-virus system is the same, it can be determined that the target file will not be virus detected; further, a "scanned" mark can be added to the metadata of the target file, and the virus detection time corresponding to the fingerprint of the target file can be and the corresponding configuration information of the anti-virus system that performs virus detection, and updates the virus detection time and the configuration information of the anti-virus system that performs virus detection in the target file metadata.

Based on the same inventive concept of the above method embodiments, embodiments of the present application also provide a virus detection device, which can be used to implement the technical solution described in the above method embodiments. For example, each step of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG. 7 can be performed.

Figure 8 shows a schematic structural diagram of a virus detection device according to an embodiment of the present application. As shown in Figure 8, the device includes: an acquisition module 801, used to obtain historical information of virus detection corresponding to the target file in the storage system; wherein the historical information of virus detection includes: whether it has experienced virus detection, virus detection At least one of the number of times, virus detection time, and configuration information of the anti-virus system that performs virus detection; the determination module 802 is used to determine whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the target file. Detection; request module 803, configured to send a request for virus detection to the target anti-virus system to the target anti-virus system when it is determined to perform virus detection on the target file.

In the embodiment of the present application, the historical information of virus detection corresponding to the target file can represent the relevant information of virus detection experienced by the content of the target file; determining whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the target file can be performed in Under the premise of ensuring data security, it avoids repeated virus detection on file contents that have been virus tested, thereby saving network bandwidth overhead, saving virus detection time, and improving virus detection efficiency; in addition, when an online virus detection task is triggered, , the user can open the target file in time, which improves the read and write performance of the storage system.

In a possible implementation, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file, and/or the file fingerprint corresponding to the target file in the index database. Corresponding historical information of virus detection; wherein the index library includes at least one file fingerprint and historical information of virus detection corresponding to the at least one file fingerprint, and the at least one file fingerprint is consistent with one or more of the storage systems. Multiple files are associated, and the historical information of virus detection corresponding to the at least one file fingerprint includes the latest historical information among the historical information of virus detection corresponding to each file associated with the at least one file fingerprint.

In a possible implementation, the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file; the acquisition module 801 is also configured to In the metadata, read the historical information of virus detection corresponding to the target file.

In a possible implementation, the historical information of virus detection corresponding to the target file includes: the historical information of virus detection corresponding to the file fingerprint of the target file in the index database; the acquisition module 801 is also used to : Determine the target file fingerprint of the target file; select the historical information of virus detection corresponding to the target file fingerprint in the index database according to the target file fingerprint.

In a possible implementation, the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file, and files in the index database that are related to the target file. The historical information of virus detection corresponding to the fingerprint; the determination module 802 is also used to: determine the historical information of virus detection in the target file metadata when the historical information of virus detection does not meet the first preset condition. Target file fingerprint; select the historical information of virus detection corresponding to the target file fingerprint in the index database according to the target file fingerprint; select the target file fingerprint in the index database; If the historical virus detection information corresponding to the file fingerprint does not meet the second preset condition, it is determined to perform virus detection on the target file.

In a possible implementation, the device further includes: a result feedback module, used to obtain the result of virus detection of the target file as fed back by the target anti-virus system; and an update module, used to detect the virus according to the Based on the detection results, the historical information of virus detection corresponding to the target file is updated.

In a possible implementation, the device further includes: a metadata update module, which determines not to perform the virus detection on the target file when the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition. Virus detection and updating the historical virus detection information in the target file metadata.

The technical effects and specific descriptions of the virus detection device shown in Figure 8 and its various possible implementations can be found in the relevant expressions of the virus retrieval method above, and will not be described again here.

It should be understood that the above division of modules in the virus detection device is only a division of logical functions. In actual implementation, they can be fully or partially integrated into a physical entity, or they can also be physically separated. In addition, the modules in the device can be implemented in the form of the processor calling software; for example, the device includes a processor, the processor is connected to a memory, instructions are stored in the memory, and the processor calls the instructions stored in the memory to implement any of the above methods. Or realize the functions of each module of the device, where the processor is, for example, a general-purpose processor, such as a central processing unit (Central Processing Unit, CPU) or a microprocessor, and the memory is a memory within the device or a memory outside the device. Alternatively, the modules in the device can be implemented in the form of hardware circuits, and some or all of the module functions can be implemented through the design of the hardware circuits, which can be understood as one or more processors; for example, in one implementation, The hardware circuit is an application-specific integrated circuit (ASIC). Through the design of the logical relationship of the components in the circuit, the functions of some or all of the above modules are realized; for another example, in another implementation, the hardware circuit is It can be realized by programmable logic device (PLD), taking Field Programmable Gate Array (FPGA) as an example, which can include a large number of logic gate circuits, and the logic gate circuits are configured through configuration files. connection relationships to realize the functions of some or all of the above modules. All modules of the above device may be fully implemented by the processor calling software, or all may be implemented by hardware circuits, or part of the modules may be implemented by the processor calling software, and the remaining part may be implemented by hardware circuits.

In the embodiment of the present application, the processor is a circuit with signal processing capabilities. In one implementation, the processor may be a circuit with instruction reading and execution capabilities, such as a CPU, a microprocessor, and a graphics processor. (graphics processing unit, GPU), digital signal processor (digital signal processor, DSP), neural network processing unit (NPU), tensor processing unit (TPU), etc.; in another In this implementation, the processor can realize certain functions through the logical relationship of the hardware circuit. The logical relationship of the hardware circuit is fixed or can be reconstructed. For example, the processor is a hardware circuit implemented by ASIC or PLD, such as FPGA. In a reconfigurable hardware circuit, the process of the processor loading the configuration file and realizing the hardware circuit configuration can be understood as the process of the processor loading instructions to realize the functions of some or all of the above modules.

It can be seen that each module in the above device can be one or more processors (or processing circuits) configured to implement the methods of the above embodiments, such as: CPU, GPU, NPU, TPU, microprocessor, DSP, ASIC, FPGA , or a combination of at least two of these processor forms. In addition, all or part of the modules in the above device may be integrated together, or may be implemented independently, which is not limited.

As an example, the virus detection device can be set up independently, can be integrated in other devices, or can be implemented through software or a combination of software and hardware. For example, the virus detection device can be the anti-virus unit in Figure 1 and can be integrated into the storage system 10 in Figure 1 above.

As another example, the virus detection device may also be a device or system with data processing capabilities, or may be provided in components or chips in some devices or systems. For example, the virus detection device can be an integrated storage management platform (Integrated Storage Management, DEVICE MANAGER), cloud server, desktop computer, portable computer, network server, service cluster, personal digital assistant (PDA), mobile phone, tablet computer , wireless terminal equipment, embedded equipment, medical equipment or other equipment with data processing functions, or components or chips in these equipment.

An embodiment of the present application also provides an electronic device, including: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to implement the method of the above embodiment when executing the instructions. For example, each step of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG. 7 can be performed.

Figure 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in Figure 9, the electronic device may include: at least one processor 901, a communication line 902, a memory 903 and at least one communication interface 904.

The processor 901 can be a general central processing unit, a microprocessor, an application-specific integrated circuit, or one or more integrated circuits used to control the execution of the program of the present application; the processor 901 can also include multiple general-purpose processors. The structural computing architecture, for example, can be a combination of at least two of CPU, GPU, microprocessor, DSP, ASIC, and FPGA; as an example, the processor 901 can be CPU+GPU or CPU+ASIC or CPU+FPGA.

Communication line 902 may include a path that carries information between the above-mentioned components.

The communication interface 904 uses any device such as a transceiver to communicate with other devices or communication networks, such as Ethernet, RAN, wireless local area networks (WLAN), etc.

The memory 903 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory (RAM)) or other type that can store information and instructions. A dynamic storage device can also be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disc storage (including compressed optical discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), disk storage media or other magnetic storage devices, or can be used to carry or store desired program code in the form of instructions or data structures and can be used by a computer Any other medium for access, but not limited to this. The memory may exist independently and be connected to the processor through a communication line 902 . Memory can also be integrated with the processor. The memory provided by the embodiment of the present application may generally be non-volatile. Among them, the memory 903 is used to store computer execution instructions for executing the solution of the present application, and is controlled by the processor 901 for execution. The processor 901 is used to execute computer execution instructions stored in the memory 903, thereby implementing the methods provided in the above embodiments of the application; for example, the method shown in the above-mentioned Figure 2, Figure 5, Figure 6 or Figure 7 can be executed. Each step.

Optionally, the computer-executed instructions in the embodiments of the present application may also be called application codes, which are not specifically limited in the embodiments of the present application.

For example, the processor 901 may include one or more CPUs, for example, CPU0 in Figure 9; the processor 901 may also include one CPU, and any one of GPU, ASIC, and FPGA, for example, CPU0+ in Figure 9 GPU0 or CPU 0+ASIC0 or CPU0+FPGA0.

By way of example, the electronic device may include multiple processors, such as processor 901 and processor 907 in FIG. 9 . Each of these processors can be a single-CPU processor, a multi-CPU processor, or a heterogeneous computing architecture including multiple general-purpose processors. A processor here may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

In specific implementation, as an embodiment, the electronic device may also include an output device 905 and an input device 906. The output device 905 communicates with the processor 901 and can display information in a variety of ways. For example, the output device 905 may be a liquid crystal display (LCD), a light emitting diode (LED) The display device may be a cathode ray tube (CRT) display device, a projector, etc., for example, it may be a display device such as a vehicle-mounted HUD, AR-HUD, or monitor. Input device 906 communicates with processor 901 and can receive user input in a variety of ways. For example, the input device 906 may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.

Embodiments of the present application provide a computer-readable storage medium on which computer program instructions are stored. When the computer program instructions are executed by a processor, the methods in the above embodiments are implemented. For example, each step of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG. 7 can be implemented.

Embodiments of the present application provide a computer program product, which may, for example, include computer readable code, or a non-volatile computer readable storage medium carrying computer readable code; when the computer program product is run on a computer When, the computer is caused to execute the method in the above embodiment. For example, each step of the method shown in FIG. 2, FIG. 5, FIG. 6 or FIG. 7 can be implemented.

Computer-readable storage media may be tangible devices that can retain and store instructions for use by an instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above. More specific examples (non-exhaustive list) of computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) or Flash memory), Static Random Access Memory (SRAM), Compact Disk Read Only Memory (CD-ROM), Digital Versatile Disk (DVD), Memory Stick, Floppy Disk, Mechanical Coding Device, such as a printer with instructions stored on it. Protruding structures in hole cards or grooves, and any suitable combination of the above. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., light pulses through fiber optic cables), or through electrical wires. transmitted electrical signals.

Computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to various computing/processing devices, or to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in the respective computing/processing device .

Computer program instructions for performing the operations of this application may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or instructions in one or more programming languages. Source code or object code written in any combination of object-oriented programming languages - such as Smalltalk, C++, etc., and conventional procedural programming languages - such as the "C" language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server implement. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as an Internet service provider through the Internet). connect). In some embodiments, by utilizing state information of computer-readable program instructions to personalize an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), the electronic circuit can Computer readable program instructions are executed to implement various aspects of the application.

Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, thereby producing a machine that, when executed by the processor of the computer or other programmable data processing apparatus, , resulting in an apparatus that implements the functions/actions specified in one or more blocks in the flowchart and/or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium. These instructions cause the computer, programmable data processing device and/or other equipment to work in a specific manner. Therefore, the computer-readable medium storing the instructions includes An article of manufacture that includes instructions that implement aspects of the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.

Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other equipment, causing a series of operating steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executed on a computer, other programmable data processing apparatus, or other equipment to implement the functions/actions specified in one or more blocks in the flowcharts and/or block diagrams.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions that embody one or more elements for implementing the specified logical function(s). Executable instructions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts. , or can be implemented using a combination of specialized hardware and computer instructions.

The embodiments of the present application have been described above. The above description is illustrative, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical applications, or technical improvements in the market of the embodiments, or to enable other persons of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

A virus detection method, characterized in that the method includes:

Obtain the historical information of virus detection corresponding to the target file in the storage system; wherein the historical information of virus detection includes: whether it has experienced virus detection, the number of virus detections, the virus detection time, and the configuration information of the anti-virus system that performs virus detection at least one of;

Determine whether to perform virus detection on the target file according to the historical information of virus detection corresponding to the target file;

When it is determined that the target file is to be tested for viruses, a request to perform virus detection on the target file is sent to the target anti-virus system.
The method according to claim 1, characterized in that, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file, and/or, the historical information of virus detection in the index database is related to the target file. Historical information of virus detection corresponding to the file fingerprint of the file; wherein, the index database includes at least one file fingerprint and historical information of virus detection corresponding to the at least one file fingerprint, and the at least one file fingerprint is consistent with the storage system The historical information of virus detection corresponding to the at least one file fingerprint includes the latest historical information among the historical information of virus detection corresponding to each file associated with the at least one file fingerprint.
The method according to claim 1 or 2, characterized in that the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file;

The obtaining the historical information of virus detection corresponding to the target file includes: reading the historical information of virus detection corresponding to the target file in the target file metadata.
The method according to claim 1 or 2, characterized in that the historical information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in the index database;

The obtaining historical information of virus detection corresponding to the target file includes:

Determine the target file fingerprint of the target file;

According to the target file fingerprint, historical information of virus detection corresponding to the target file fingerprint is selected from the index database.
The method according to claim 3, characterized in that the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file, and, in the index database, the historical information of virus detection corresponding to the target file. Historical information of virus detection corresponding to the file fingerprint of the target file;

Determining whether to perform virus detection on the target file based on the historical information of virus detection corresponding to the target file includes:

When the historical information of virus detection in the target file metadata does not meet the first preset condition, determine the target file fingerprint of the target file;

According to the target file fingerprint, select the historical information of virus detection corresponding to the target file fingerprint in the index database;

When the historical information of virus detection corresponding to the fingerprint of the target file does not meet the second preset condition, it is determined to perform virus detection on the target file.
The method according to any one of claims 1-5, characterized in that the method further includes:

Obtain the results of virus detection on the target file fed back by the target anti-virus system;

According to the result of the virus detection, the historical information of virus detection corresponding to the target file is updated.
The method according to claim 5, characterized in that the method further includes:

When the historical information of virus detection corresponding to the fingerprint of the target file satisfies the second preset condition, it is determined not to perform virus detection on the target file, and the historical information of virus detection in the metadata of the target file is updated.
A virus detection device, characterized in that the device includes: an acquisition module for acquiring historical information of virus detection corresponding to the target file in the storage system; wherein the historical information of virus detection includes: whether it has experienced virus detection , at least one of the number of virus detections, the virus detection time, and the configuration information of the anti-virus system that performs virus detection; the determination module is used to determine whether to check the target file based on the historical information of virus detection corresponding to the target file. Perform virus detection; the request module is configured to send a request to the target anti-virus system to perform virus detection on the target file when it is determined that the target file is to be tested for viruses.
The device according to claim 8, characterized in that, the historical information of virus detection corresponding to the target file includes the historical information of virus detection in the metadata of the target file, and/or, the historical information of virus detection in the index database is related to the target file. Historical information of virus detection corresponding to the file fingerprint of the file; wherein, the index database includes at least one file fingerprint and historical information of virus detection corresponding to the at least one file fingerprint, and the at least one file fingerprint is consistent with the storage system The historical information of virus detection corresponding to the at least one file fingerprint includes the latest historical information among the historical information of virus detection corresponding to each file associated with the at least one file fingerprint.
The device according to claim 8 or 9, characterized in that the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file; the acquisition module is also configured to In the target file metadata, historical information of virus detection corresponding to the target file is read.
The device according to claim 8 or 9, wherein the historical information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in the index database; the acquisition A module further configured to: determine a target file fingerprint of the target file; and select historical virus detection information corresponding to the target file fingerprint in the index database based on the target file fingerprint.
The device according to claim 10, characterized in that the historical information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file, and the historical information of virus detection in the index database corresponding to the Historical information of virus detection corresponding to the file fingerprint of the target file; the determination module is also configured to: when the historical information of virus detection in the target file metadata does not meet the first preset condition, determine the The target file fingerprint of the target file; According to the target file fingerprint, the historical information of virus detection corresponding to the target file fingerprint is selected from the index database; when the historical information of virus detection corresponding to the target file fingerprint does not meet the second preset condition , determine to perform virus detection on the target file.
The device according to any one of claims 8-12, characterized in that the device further includes: a result feedback module, used to obtain the result of virus detection of the target file fed back by the target anti-virus system; An update module, configured to update the historical information of virus detection corresponding to the target file according to the result of the virus detection.
The device according to claim 12, characterized in that the device further includes: a metadata update module that determines when the historical information of virus detection corresponding to the target file fingerprint does not meet the second preset condition. No virus detection is performed on the target file, and the historical information of virus detection in the metadata of the target file is updated.
An electronic device, characterized by including:

processor;

Memory used to store instructions executable by the processor;

Wherein, the processor is configured to implement the method according to any one of claims 1-7 when executing the instructions.
A non-volatile computer-readable storage medium on which computer program instructions are stored, characterized in that when the computer program instructions are executed by a processor, the method described in any one of claims 1-7 is implemented.