CN100485700C - Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method - Google Patents

Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method Download PDF

Info

Publication number
CN100485700C
CN100485700C CN 200610037011 CN200610037011A CN100485700C CN 100485700 C CN100485700 C CN 100485700C CN 200610037011 CN200610037011 CN 200610037011 CN 200610037011 A CN200610037011 A CN 200610037011A CN 100485700 C CN100485700 C CN 100485700C
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
device
preventing
treating
computer
method
Prior art date
Application number
CN 200610037011
Other languages
Chinese (zh)
Other versions
CN101122934A (en )
Inventor
左力志
鹏 罗
覃志明
Original Assignee
珠海金山软件股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

本发明提供一种可对文件实时监控的防治计算机病毒的装置及方法,在进行病毒库或引擎升级时,可确保用户具有良好的体验,同时又能保证计算机的安全。 The present invention provides an apparatus and method for real-time monitoring of file computer virus prevention, virus database or during engine upgrade, to ensure that users have a good experience, while ensuring the security of the computer. 所述可对文件实时监控的防治计算机病毒的装置,包括有应用层部分和操作系统内核部分,应用层部分又包括有文件系统交互处理逻辑模块、由操作系统提供的文件系统应用程序编程接口(API)模块;操作系统内核部分包括有可截获文件操作的杀毒软件文件系统驱动模块和实际操作系统的文件系统驱动模块;在进行升级需要替换引擎及病毒库的时候,设置有两套杀毒软件应用层,每套杀毒软件应用层均包括杀毒引擎和病毒库,即杀毒引擎有两个:杀毒引擎1和杀毒引擎2;病毒库也有两个,病毒库1和病毒库2。 Said means for real-time file monitoring computer virus prevention and treatment, including the application layer portion and a portion of the operating system kernel, the application layer portion and comprising a file system interactions processing logic, file system application programming interface provided by the operating system ( API) module; section includes the operating system kernel may be intercepted file operation antivirus software file system driver module and the actual operating system file system driver module; needs to be replaced before the upgrade engine and signature when the antivirus software applications is provided with two layers, each layer includes antivirus software applications antivirus engine and virus database, i.e., the antivirus engine has two: antivirus engine antivirus engine 1 and 2; also two virus, virus 1 and virus 2.

Description

一种可对文件实时监控的防治计算机病毒的装置及其升级方法 A real-time monitoring of file computer virus prevention device and upgrade

技术领域 FIELD

本发明涉及计算机病毒的防治技术,尤其涉及一种可对文件实时监控的防治计算机病毒的装置及方法。 The present invention relates to control technology for computer viruses, and particularly to an apparatus and a method of controlling a computer file for virus real-time monitoring.

背景技术 Background technique

随着计算机技术的发展,计算机病毒的种类及危害也越来越多,它造成硬件损坏、数据丢失,或不能正常使用等,已经给计算机用户带来很大影响和损失。 With the development of computer technology, computer virus species and their damage is also increasing, which cause hardware damage, data loss, or not working, etc., it has a great impact and damage to computer users. 计算机病毒具有很强的传播性和感染性,主要通过网络传播或是通过感染计算机中的可执行程序进行传播。 Computer viruses are highly transmissible and infectious, mainly spread through the network, or spread through the infected computer executable program. 目前对计算机病毒多采用防病毒软件进行査杀,防病毒软件一般由病毒检査引擎和病毒特征库组成。 Computer viruses currently use more antivirus software for killing, anti-virus software is generally a virus check virus signatures and engine components. 病毒检查引擎对计算机文件按照病毒特征库中的病毒特征码对计算机协调中的文件进行检 Virus check engine computer files seized computer files in accordance with the coordination of the virus signatures of virus signatures

査,如果发现有对应的特征码存在,则表明该文件被特定的病毒感染,防病毒软件采用相关措施对病毒进行清除。 Investigation, if there exists a corresponding signature, it indicates that the file is infected with a particular virus, anti-virus software uses the virus-related measures to be cleared. 利用防病毒软件进行计算机病毒的防治,需要频繁地更新病毒特征库, 因为每种新的计算机病毒都会有不同于己知病毒的特征码,? Use anti-virus software for computer virus prevention, virus signatures need to be updated frequently, since each will have a new computer virus signatures different from known viruses? 'E新的病毒产生后,通过对其分析,才能找出它的特征码,将其添加到原有病毒特征库中,不断地升级防病毒软件才能査杀新的病毒。 'E after new viruses, through its analysis in order to identify its signature, add it to the original virus signatures, continue to upgrade anti-virus software to killing the new virus. 由此可见,这种方法总是滞后于新的病毒的出现,对于潜伏在正常的程序或数据文件中还未发作的新病毒则无法查找到,无法做到对新病毒的预防, 一旦新的病毒达到发作条件,就会对计算机系统造成破坏,轻则影响系统的正常运行,甚至破坏系统硬件部分,造成严重的损失。 Thus, this method always lags behind the emergence of new viruses, for lurking in the normal program or data file has not been a new virus attack can not find, can not do the prevention of new viruses, once the new virus attack to achieve the conditions, it will cause damage to computer systems, ranging from affecting the normal operation of the system, or even destroy system hardware, resulting in serious losses. 由此可见,病毒特征库的及时更新非常重要。 Thus, to update the virus signature database is very important.

在目前市面上的杀毒软件中都具有文件实时监控的功能,用于实时监视访问的文件是否存在病毒,其实现机理是对于用户或计算机将要访问的每个文件都进行截获,进行病毒扫描, 确保其安全之后再放行。 In the antivirus software currently on the market have a function in real-time monitoring of file, whether the file access for real-time monitoring of the presence of the virus, its implementation mechanism for each user or computer file to be accessed are intercepted, virus scanning, to ensure after its re-release safety. 同时作为具备杀毒功能的软件都是需要实时更新病毒库,以确保能够査杀最新的病毒以确保当前计算机的安全。 At the same time as the antivirus software with real-time capabilities are needed to update the virus database, to ensure that killing the latest viruses to ensure the safety of the current computer. 现有技术中,可对文件实时监控的防治计算机 The prior art, can prevent the computer for real-time monitoring of file

病毒的装置基本结构如图1所示:包括有应用层部分和操作系统内核部分,所述应用层部分 The basic structure of the apparatus shown in Figure 1 virus: the application layer portion comprises a core part and the operating system, the application layer portion

又包括有由操作系统提供的文件系统应用程序编程接口(API;模块、文件系统交互处理逻辑 Further comprising a file system application programming interface (API provided by an operating system; module, processing logic file system interactions

模块;所述操作系统内核部分包括有可截获文件操作的杀毒软件文件系统驱动模块和实际操作系统的文件系统驱动模块;所述防治计算机病毒的装置还包括杀毒引擎和病毒库,所述杀毒引擎和病毒库可设置在应用层部分中,或者设置在操作系统内核部分中。 Module; core part of the operating system intercepts the file operation includes a file system driver antivirus module and the actual operating system file system driver module; said prevention means further comprises a computer virus and the virus database antivirus engine, the antivirus engine virus and can be provided at the application layer portion, or the operating system kernel is provided in the section. 将杀毒引擎及文件系统的交互处理逻辑实现在系统内核的,可提高效率,并不影响整体的监控流程。 The interactive processing logic antivirus engine and file system implemented in the system kernel, can improve the efficiency, it does not affect the overall monitoring process. 如图2所示,文件实时监控进行文件防毒的基本流程如下: 步骤一:操作开始; 2, the real-time file monitoring antivirus files The basic process is as follows: Step 1: Start operation;

步骤二:应用层文件系统驱动模块驱动文件操作; 步骤三:杀毒软件文件系统驱动模块截获文件操作; Step two: the file system driver module application layer drive file operations; Step three: the file system driver module antivirus software intercepts file operations;

步骤四:判断是否为可过滤的文件或进程;如是,则进入步骤五;如否,则进入步骤六; 步骤五:提交给实际操作系统的文件系统驱动模块驱动操作;进入步骤十; 步骤六:提交给杀毒软件应用层进行逻辑判断; 步骤七:调用杀毒引擎进行病毒査杀; Step Four: determining whether to be filtered file or process; if so, the process proceeds to step five; if not, the process proceeds to step six; Step Five: submitted to the actual operating system file system driver module driving operation; enters Step 10; Step Six : submitted to the antivirus software application layer logical judgment; step 7: call the antivirus engine killing the virus;

步骤八:判断病毒是否存在;如是,则进入步骤九;如否,则进入步骤五; 步骤九:阻止文件系统的访问; 步骤十:结束操作。 Step Eight: to determine whether the virus exists; if so, enter Step 9; if not, proceed to step five; Step 9: preventing access to the file system; Step 10: End operation.

可以看出,整个实时监控的防毒机理上主要是靠截获文件操作,然后将其提交给引擎进行查杀病毒,而为了能够实防毒功能具有时效性,那就必须进行频繁的替换最新的病毒库及引擎。 As can be seen, the real-time monitoring of the entire anti-virus mechanism mainly by intercepting file operations, and then submit it to the engine for killing the virus, and in order to be able to time-sensitive real-virus protection, it must be frequently replaced with the latest virus definitions and engine. 目前在替换病毒库的时机选择上,杀毒软件的通用作法就是暂时停止文件的截获,并进行替换引擎或病毒库,再进行打开,其实现过程如图3所^。 Currently on the replacement of the timing of the virus database, antivirus software is common practice to temporarily stop intercepted file, and replace the engine or virus database, and then open its realization process shown in Figure 3 ^.

这样做的一个最明显的好处就是:由于在用行引擎或病毒库替换的时候存在一定的时间延迟,在关闭掉监控功能,再进行打开就能够让用户体验更好,不会发现机器的停顿。 One of the most obvious benefits of doing so is this: Because there is a certain time delay in the time to replace the engine with a line or virus, closing off the monitoring function, and then open it allows users to experience better, stop the machine will not find . 但同时作为安全软件来说,它也存在着一个安全隐患,那就是在文件监控关闭的这段时间内,计算机是不安全的,因为此时杀毒软件并不能起任何作用,这也是在进行引擎病毒库升级时存在的最大的一个弊端。 But at the same time as the security software, it also has a security risk, that is, within a file monitoring closed during this time, the computer is not safe, because the anti-virus software does not play any role, which is carrying out engine one of the biggest drawbacks upgrade virus database.

发明内容 SUMMARY

为了克服现有的计算机病毒的防治系统的不足,本发明的目的在于:提供一种可对文件实时监控的防治计算机病毒的装置及方法,在进行病毒库或引擎升级时,可确保用户具有良好 In order to overcome the deficiencies of conventional computer virus prevention system, object of the present invention is: to provide an apparatus and method for real-time file monitoring computer virus prevention, virus or when upgrading the engine, the user can ensure good

的体验,同时又能保证计算机的安全。 Experience, while ensuring the security of the computer.

本发明解决其技术问题所采用的技术方案是: The present invention solves the technical problem using the technical solution is:

本发明提供了一种可对文件实时监控的防治计算机病毒的装置,包括有应用层部分和操作系统内核部分,所述应用层部分又包括有文件系统交互处理逻辑模块、由操作系统提供的文件系统应用程序编程接口(API)模块;所述操作系统内核部分包括有可截获文件操作的杀毒软件文件系统驱动模块和实际操作系统的文件系统驱动模块;其中:在进行升级需要替换引擎及病毒库的时候,所述防治计算机病毒的装置设置有两套杀毒软件应用层,所述每套杀毒软件应用层均包括杀毒引擎和病毒库,即所述杀毒引擎有两个:杀毒引擎1和杀毒引擎2; 所述病毒库也有两个,病毒库1和病毒库2。 The present invention provides an apparatus for real-time file monitoring computer virus prevention and treatment, including the application layer portion and a portion of the operating system kernel, the application layer portion and comprising a file system interactions processing logic, file provided by the operating system system application programming interface (API) module; core part of the operating system intercepts the file operation includes a file system driver antivirus module and the actual operating system's file system driver module; wherein: the engine needs to be replaced before the upgrade and signature when said prevention means is provided with two sets of computer virus antivirus software application layer, the application layer each antivirus software includes antivirus engine and virus, the antivirus engine i.e. there are two: 1 and antivirus engine antivirus engine 2; the virus has two virus 1 and virus 2.

一种可对文件实时监控的防治计算机病毒的装置的升级方法,其中,包括如下步骤: 步骤一:将当前文件夹内的病毒引擎及病毒库复制到临时文件夹内; 步骤二:加载临时文件夹内的病毒引擎及病毒库,加载后的引擎称为Engine2,原来正在使用的引擎称为Enginel; A scalable method for real-time file monitoring computer virus prevention apparatus, comprising the following steps: Step 1: Copy the current folder virus engine and signature to the temporary folder; Step two: Load temporary file folder virus engine and virus database, the engine load is called Engine2, the original engine being used is called Enginel;

步骤三:将文件监控内部使用的引擎Enginel替换为Engine2,并释放Enginel的资源; Step 3: file monitoring engine Enginel internal use Replace Engine2, and release of resources Enginel;

这样将不会引起对当前文件夹内的引擎及病毒库的占用,即可以顺利的替换文件; 步骤四:升级替换当前文件夹下的引擎及病毒库; 步骤五:加载当前文件夹下的引擎及病毒库,称为Engine3; This will not cause seizure of engine and virus database files within the current folder, that file can be replaced smoothly; Step four: Replace engine and virus database upgrades in the current folder; Step five: Load engine under the current folder and virus database, called Engine3;

步骤六:将文件监控内部使用的引擎Engine2替换为Engine3,并释放Engine2的资源。 Step Six: The file monitoring engine Engine2 internal use Replace Engine3, and release of resources Engine2. 这样将不引起对临时文件夹内的引擎及病毒库的占用; 步骤七:删除临时文件夹内的引擎及病毒库文件; 步骤八:完成了引擎的替换工作。 This will not cause seizure of the temporary folder in the engine and virus database; Step Seven: Remove the engine and virus database files in the temporary folder; Step Eight: the completion of the work to replace the engine.

本发明的有益效果是:文件监控不必关闭,当前计算机始终处于杀毒软件的保护状态, The advantages are: file monitor without turning off the current computer is always protected antivirus software,

保证了计算机的安全。 To ensure the security of the computer. 当然此种方式下会临时占用一点额外的空间,但作为现在的计算w^来讲,引擎和病毒库所占用的空间相当小,并不会给当前计算机带来什么负担,同时替换过程仅仅是一个内部接口指针的变换,基本上不会有什么开销,也确保了良好的用户体验。 Of course, such a mode will temporarily occupy little extra space, but as of now w ^ calculated in terms of engine and virus database space occupied by a relatively small, it will not bring any burden on the current computer, while the replacement process is just an internal interface pointer conversion, basically do not have any overhead, but also to ensure a good user experience.

附图说明 BRIEF DESCRIPTION

图l是现有技术中可对文件实时监控的防治计算机病毒的装置的原理示意图; 图2是现有技术中文件实时监控进行文件防毒的基本流程图; 图3是现有技术中可对文件实时监控的防治计算机病毒的装置的升级方法示意图; 图4是本发明一种可对文件实时监控的防治计算机病毒的装置的原理示意图; 图5是本发明一种可对文件实时监控的防治计算机病毒的装置的升级进程模块的原理示意图; Figure l is a schematic diagram of the prior art devices can monitor real-time file computer virus prevention principle; FIG. 2 is a basic flow diagram of the prior art documents for real-time monitoring file virus; FIG. 3 is a prior art document to be Control device upgrade method for real-time monitoring of the computer virus schematic; FIG. 4 is a schematic view of the principle of prevention means may be a computer virus real-time monitoring of files present invention; FIG. 5 is a real-time monitoring of the present invention the computer file prevention How the upgrade process means the virus module schematic;

图6是本发明一种可对文件实时监控的防治计算机病毒的装置的升级进程模块的升级方法流程图; FIG 6 is an upgrade method of the present invention for real-time file monitoring module upgrades of computer virus prevention apparatus flowchart;

6图7是本发明一种可对文件实时监控的防治计算机病毒的装置的升级进程模块的具体的引擎及病毒库升级流程图。 6 and 7 are specific virus database upgrade engine and upgrade process flowchart prevention means may be a computer virus real-time monitoring of the present invention, the document module.

具体实施方式 detailed description

如图4所示, 一种可对文件实时监控的防治计算机病毒的装置,包括有应用层部分和操作系统内核部分,所述应用层部分又包括有文件系统交互处理逻辑模块、由操作系统提供的文件系统应用程序编程接口(API)模块;所述操作系统内核部分包括有可截获文件操作的杀毒软件文件系统驱动模块和实际操作系统的文件系统驱动模块;其中:在进行升级需要替换引擎及病毒库的时候,所述防治计算机病毒的装置设置有两套杀毒软件应用层,所述每套杀毒软件应用层均包括杀毒引擎和病毒库,即所述杀毒引擎有两个:杀毒引擎1和杀毒引擎2; 所述病毒库也有两个,病毒库1和病毒库2。 4, an apparatus for real-time file monitoring computer virus prevention and treatment, including the application layer portion and a portion of the operating system kernel, the application layer portion and comprising a file system interaction processing logic module is provided by the operating system the file system application programming interface (API) module; core part of the operating system intercepts the file operation includes a file system driver antivirus module and the actual operating system's file system driver module; wherein: the engine and needs to be replaced before the upgrade virus database when the apparatus is provided with two sets of computer virus prevention antivirus software application layer, the application layer each antivirus software includes antivirus engine and virus, i.e., the antivirus engine has two: antivirus engine 1 and antivirus engine 2; the virus has two virus 1 and virus 2.

在图4上可以看到,整个设计最核心的部分是文件系统交互处理逻辑上对于使用的杀毒引擎的变换上来实现引擎及病毒库的更新。 It can be seen in Figure 4, the core part of the overall design for the transformation of antivirus engines used up to achieve engine and virus database on the file system interaction processing logic updates.

如图5所示,杀毒软件应用层还包括有升级进程模块,所述升级进程模块又包括有:升级及交互处理模块、文件实对监控及升级交互模块、文件实时监控控制模块、文件系统交互处理逻辑模块以及弓I擎封装模块。 As shown, the antivirus software application layer 5 further comprises a module update process, the update process module further comprises: a processing module upgrades and interactive, real file upgrade monitoring and interaction module, a control module to monitor real-time file, the file system interactions processing logic module and I bow engine package module.

所述升级及交互处理模块:此模块用于从网络上获取升级数据并判断升级数据所对应的所需要升级的产品及文件,此模块发现了文件实时监控所需要升级的数据及文件时,就会将该数据提供给文件实时监控的升级交互模块,要求其将对应的数据文件进行释放,以供后续进行升级;在升级完成后再通知文件实时监控及升级交互模块升级完成,由其进行后续的处理工作。 The interaction processing and upgrading module: This module is used when acquiring the upgrade data from the network and determines whether the update data corresponding to the need to upgrade the products and documents, the documents found in this module are real-time monitoring and data files need to be upgraded, it provides the data to the real-time monitoring of the upgrade file interaction module, which requires the release of the corresponding data files, for later upgrade; upgrade notification after the completion of the upgrade file update real-time monitoring and interaction module is completed by its subsequent processing work.

所述文件实时监控及升级交互模块:此模块则是在接受到升级及交互处理模块的升级时, 判断所需要升级的文件是隶属于几个类型:文件监控程序文件、引擎及病毒库文件、其他设置文件;若是引擎及病毒库文件则在此模块就会进行原有引擎及病毒库的复制操作,并通知文件实时监控控制模块使用临时目录下的引擎及病毒库;在升级及交互处理模块通知升级完成后,此模块又会通知文件实时监控控制模块重新加载程序文件夹目录下的引擎及病毒库。 The file real-time monitoring and upgrades interaction module: This module is received in the upgrade upgrades and interactive processing module determines the need to upgrade the file is part of several types: file monitor file, engine and virus database files, other settings file; if the engine and virus database files in this module will be copying the original engine and virus database, real-time monitoring and notification file control module engine and virus database in the temporary directory; upgrade and interactive processing module after the completion of the upgrade notice, this module will notify the file real-time monitoring control module reload the program folder virus database engine and directory.

所述文件实时监控控制模块:此模块对整体文件监控功能进行整体控制,提供的功能: 启停文件监控、通知引擎封装模块加载及替换病毒库、通知艾件系统交互处理逻辑重新加载文件实时监控设置、通知引擎封装模块重新加载反病毒设置。 The real-time file monitoring control module: This module documents the entire monitoring overall control provides functions: file start and stop monitoring, notification engine loading and encapsulation module replacement virus, member notification system Ai interaction processing logic file real-time monitoring reload settings, notification engine package module reload the anti-virus settings.

所述文件系统交互处理逻辑模块..此模块通过接受文件驱动提交的文件进行相关的査杀病毒处理,并将结果返回给驱动。 The file system processing logic module interaction .. This module driven by receiving files submitted by killing virus-related processing, and returns the results to the driver. 所述引擎封装模块:通过指定的接口接受文件系统及交互处理逻辑模块提供的文件进行病毒查杀,及进行真实引擎的加载变换。 The engine encapsulation module: receiving the specified interface and interact with the file system to provide the processing logic of killing viruses and transform the real engine loading.

如图6所示, 一种可对文件实时监控的防治计算机病毒的装置的升级方法,其中,包括如下步骤: 6, a scalable method for real-time file monitoring computer virus prevention apparatus, comprising the steps of:

步骤一:将当前文件夹内的病毒引擎及病毒库复制到临时文件夹内; Step one: Copy the folder within the current virus engine and virus database to a temporary folder;

步骤二:加载临时文件夹内的病毒引擎及病毒库,加载后的引擎称为Engine2,原来正在使用的引擎称为Enginel; Step two: Load-virus engine and virus database temporary folder after the engine load is called Engine2, the original engine being used is called Enginel;

步骤三:将文件监控内部使用的引擎Enginel替换为Engine2,并释放Enginel的资源; 这样将不会引起对当前文件夹内的引擎及病毒库的占用,即可以顺利的替换文件; Step 3: file monitoring engine Enginel internal use Replace Engine2, and release resources Enginel; this will not cause seizure of engine and virus database files in the current folder, you can replace a file that is smooth;

步骤四:升级替换当前文件夹下的引擎及病毒库; Step four: Replace engine and virus database upgrades in the current folder;

步骤五:加载当前文件夹下的引擎及病毒库,称为Engi朋3; Step five: Load current engine and virus database folder called Engi friends 3;

步骤六:将文件监控内部使用的引擎Engine2替换为Engine3,并释放Engine2的资源。 Step Six: The file monitoring engine Engine2 internal use Replace Engine3, and release of resources Engine2. 这样将不引起对临时文件夹内的引擎及病毒库的占用; 步骤七:删除临时文件夹内的引擎及病毒库文件; 步骤八:完成了引擎的替换工作。 This will not cause seizure of the temporary folder in the engine and virus database; Step Seven: Remove the engine and virus database files in the temporary folder; Step Eight: the completion of the work to replace the engine. 如图7所示,具体的引擎及病毒库升级流程如下: 步骤一:操作开始; As shown in FIG 7, the engine and the specific virus database update process is as follows: Step 1: Start operation;

步骤二:升级及交互处理模块检测到文件监控的相关数据; Step Two: interactive processing and upgrading file monitoring module detects the relevant data;

步骤三:文件实时监控控制模块及文件系统交互处理逻辑模块检测是否存在引擎及病毒库需要升级; Step three: file real-time monitoring and control modules interact with the file system processing logic module to detect the presence engine and virus database needs to be upgraded;

步骤四:判断是否存在引擎及病毒库需要升级,如是,进入步骤六;如否,进入步骤五; 步骤五:进行其他升级操作;进入步骤十一; 步骤六:将现有引擎及病毒库复制到临时目录; Step Four: determining whether there is a need to upgrade the engine and signature, if so, proceeds to step six; if not, proceeds to step five; Step Five: perform other upgrade; enters Step 11; Step Six: conventional engine and virus replication into a temporary directory;

步骤七:通知文件实时监控控制模块使用临时目录下的引擎及病毒库,并等待完成; 步骤八:返回升级及交互处理模块,让其替换文件; Step 7: notification file real-time monitoring and control module uses virus database engine under the temporary directory, and wait for completion; Step eight: Return upgrades and interactive processing module, let it replace the file;

步骤九:所述升级及交互处理模块通知文件实时监控控制模块升级引擎及病毒库完成; 步骤十:通知文件实时监控控制模块使用程序文件夹下的引擎及病毒库;进入步骤五; 步骤十一:结束操作。 Step 9: The upgrade notification document processing module and interactive real-time monitoring and engine control module upgrade virus database is completed; Step 10: notification file real-time monitoring and control module uses virus database engine under the program folder; proceed to step five; Step 11 : end of the operation.

上述所列具体实现方式为非限制性的,对本领域的技术人员来说,在不偏离本发明范围内,进行的各种改进和变化,均属于本发明的保护范围。 DETAILED achieve the above listed non-limiting embodiment, those skilled in the art, various modifications and changes without departing from the scope of the invention, carried out, it belongs to the scope of the present invention.

Claims (6)

  1. 1、一种可对文件实时监控的防治计算机病毒的装置,包括有应用层部分和操作系统内核部分,所述应用层部分又包括有文件系统交互处理逻辑模块、由操作系统提供的文件系统应用程序编程接口模块;所述操作系统内核部分包括有可截获文件操作的杀毒软件文件系统驱动模块和实际操作系统的文件系统驱动模块;其特征在于:在进行升级需要替换引擎及病毒库的时候,所述防治计算机病毒的装置的应用层部分设置有两套杀毒软件应用层,其中每套杀毒软件应用层均包括杀毒引擎和病毒库,即所述杀毒引擎有两个:杀毒引擎1和杀毒引擎2;所述病毒库也有两个,病毒库1和病毒库2;所述杀毒软件应用层还包括有升级进程模块,所述升级进程模块又包括有:升级及交互处理模块、文件实时监控及升级交互模块、文件实时监控控制模块、文件系统交互处 1. An apparatus for real-time file monitoring computer virus prevention and treatment, including the application layer portion and a portion of the operating system kernel, the application layer portion and comprising a file system interactions processing logic, file system application provided by the operating system programming interface module; core part of the operating system intercepts the file operation includes a file system driver antivirus module and the actual operating system file system driver module; wherein: performing the upgrade engine and needs to be replaced when the virus database, the application layer portion of the device is provided with a computer virus prevention two antivirus software application layer, wherein each layer includes antivirus software applications and virus antivirus engine, i.e. the engine has two antivirus: antivirus engine and antivirus engine 1 2; the virus also has two, 1 virus and virus 2; the anti-virus software application layer module also includes the upgrade process, the upgrade process module and includes: upgrades and interactive processing module, real-time monitoring and file upgrade interaction module, real-time monitoring control module files, file system interaction at 逻辑模块以及引擎封装模块;所述文件实时监控及升级交互模块在接受到升级及交互处理模块的升级时,判断所需要升级的文件是隶属于几个类型:文件监控程序文件、引擎及病毒库文件、其他设置文件;若是引擎及病毒库文件则在此模块就会进行原有引擎及病毒库的复制操作,并通知文件实时监控控制模块使用临时文件夹下的引擎及病毒库;在升级及交互处理模块通知升级完成后,此模块又会通知文件实时监控控制模块重新加载当前文件夹下的引擎及病毒库。 Logic module and an engine module package; the file interactive real-time monitoring and upgraded upgrade module upon receiving upgrades and interactive processing module determines the need to upgrade file is part of several types: a file monitoring program files, and signature engine files, other setting files; if the engine and virus database files in this module will be copying the original engine and virus database, real-time monitoring and notification file control module engine and virus database in the temporary folder; and upgrade interactive processing module notifies the upgrade is complete, the module will notify the file real-time monitoring and engine control module reload the virus database in the current folder.
  2. 2、 根据权利要求1所述的一种可对文件实时监控的防治计算机病毒的装置,其特征在于: 所述升级及交互处理模块:此模块用于从网络上获取升级数据并判断升级数据所对应的所需要升级的产品及文件,此模块发现了文件实时监控所需要升级的数据及文件时,就会将该数据提供给文件实时监控及升级交互模块,要求其将对应的数据文件进行释放,以供后续进行升级;在升级完成后再通知文件实时监控及升级交互模块升级完成,由其进行后续的处理工作。 2, according to one of the claims 1 may be means to monitor real-time file prevention computer virus, wherein: said interaction processing and upgrading module: This module is used to obtain data from the network and upgrade Analyzing data upgrade when the corresponding need to upgrade products and documents, this module finds the files needed to upgrade real-time monitoring of data and documents will be provided to the data file real-time monitoring and interaction module upgrades, asking them to release the corresponding data files for subsequent upgrade; after the completion of the upgrade notification file real-time monitoring and interactive upgrade module upgrade is complete, its subsequent processing.
  3. 3、根据权利要求1所述的一种可对文件实时监控的防治计算机病毒的装置,其特征在于:所述文件实时监控控制模块:此模块对整体文件监控功能进行整体控制,提供的功能: 启停文件监控、通知引擎封装模块加载及替换病毒库、通知文件系统交互处理逻辑模块重新加载文件实时监控设置、通知引擎封装模块重新加载反病毒设置。 3, according to one of the claims 1 may be means to monitor real-time file prevention computer virus, wherein: the control module to monitor the real-time file: This file monitoring module for overall control of the whole, provide the functions: start and stop file monitoring, notification engine encapsulation module is loaded and replace the virus database, file system interaction notification processing logic module reload the settings file real-time monitoring, notification engine package module reload the anti-virus settings.
  4. 4、 根据权利要求1所述的一种可对文件实时监控的防治计算机病毒的装置,其特征在于: 所述文件系统交互处理逻辑模块:此模块通过接受文件驱动提交的文件进行相关的查杀病毒处理,并将结果返回给驱动。 4, according to one of the claims 1 may be means to monitor real-time file prevention computer virus, wherein: the file system interaction processing logic module: This module file by killing associated file system driver accepts submissions virus processing, and returns the results to the driver.
  5. 5、 根据权利要求1所述的一种可对文件实时监控的防治计算机病毒的装置,其特征在于: 所述引擎封装模块:通过指定的接口接受文件系统交互处理逻辑模块提供的文件进行病毒查杀,及进行真实引擎的加载变换。 5. A can according to claim 1 for real-time file monitoring apparatus prevention computer virus, wherein: the engine encapsulation module: file provided by the file system interface accepts a specified interaction processing logic module to check for viruses kill, and loading real engine of transformation.
  6. 6、 一种可对文件实时监控的防治计算机病毒的装置的升级方法,其特征在于,包括如下步骤:步骤一:操作开始;步骤二:升级及交互处理模块检测到文件监控的相关数据;步骤三:文件实时监控控制模块及文件系统交互处理逻辑模块检测是否存在引擎及病毒库需要升级;步骤四:判断是否存在引擎及病毒库需要升级,如是,进入歩骤六;如否,进入步骤五; 步骤五:进行其他升级操作;进入步骤十一;步骤六:将当前文件夹内的病毒引擎及病毒库复制到临时文件夹内;步骤七:通知文件实时监控控制模块使用临时文件夹下的引擎及病毒库,并等待完成;步骤八:返回升级及交互处理模块,让其替换文件;具体为:步骤l):加载临时文件夹内的病毒引擎及病毒库,加载后的引擎称为Engine2,原来正在使用的引擎称为Enginel;、步骤2):将文件监控内部使 6, a scalable method for real-time file monitoring computer virus prevention device, characterized by comprising the following steps: Step 1: Start operation; Step Two: Upgrade and interactive data processing module detects a file monitoring; step III: real-time file monitoring control module and file system interactions processing logic module detects the presence or absence engine and signature need to be upgraded; step four: determining whether there engine and signature needs to be upgraded, if so, enter ho step six; if not, proceeds to step five ; step five: perform other upgrade; enter 11 steps; step six: copy-virus engine and virus database files in the current folder to a temporary folder; step 7: notification file real-time monitoring control module uses a temporary folder engine and virus database, and wait for completion; step eight: return upgrades and interactive processing module, let it replace the file; specifically: step l): load-virus engine and virus database temporary folder after the engine load is called Engine2 the original engine being used is called Enginel ;, step 2): a file monitoring the internal 的引擎Enginel替换为Engine2,并释放Enginel的资源; 这样将不会引起对当前文件夹内的引擎及病毒库的占用,即可以顺利的替换文件; 步骤3):升级替换当前文件夹下的引擎及病毒库; 步骤4):加载当前文件夹下的引擎及病毒库,称为Engine3;步骤5):将文件监控内部使用的引擎Engine2替换为Engine3,并释放Engine2的资源; 步骤6):删除临时文件夹内的引擎及病毒库文件; 步骤7):完成了引擎的替换工作;步骤九:所述升级及交互处理模块通知文件实时监控控制模块升级引擎及病毒库完成; 步骤十:通知文件实时监控控制模块使用当前文件夹下的引擎及病毒库;进入歩骤五; 歩骤十一:结束操作。 The engine Enginel replaced Engine2, and release resources Enginel; this will not cause seizure of engine and virus database files in the current folder, you can replace a file that is smooth; Step 3): Replace engine upgrades in the current folder and virus database; step 4): load current engine and virus database in a folder called Engine3; step 5): the file monitoring engine Engine2 replace internal use as Engine3, and release of resources Engine2; step 6): delete temporary folder within the engine and virus database files; step 7): complete the work replacing the engine; step 9: the upgrade notification document processing module and interactive real-time monitoring and engine control module upgrade virus database is completed; step 10: notification file Real-time monitoring and engine control module uses the current virus definitions folder; enter ho step five; ho step XI: the end of the operation.
CN 200610037011 2006-08-11 2006-08-11 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method CN100485700C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610037011 CN100485700C (en) 2006-08-11 2006-08-11 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200610037011 CN100485700C (en) 2006-08-11 2006-08-11 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method
JP2007210542A JP4953247B2 (en) 2006-08-11 2007-08-10 Real-time computer virus infection prevention apparatus and the update process

Publications (2)

Publication Number Publication Date
CN101122934A true CN101122934A (en) 2008-02-13
CN100485700C true CN100485700C (en) 2009-05-06

Family

ID=39085267

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610037011 CN100485700C (en) 2006-08-11 2006-08-11 Device for preventing and treating computer virus by real-time monitoring for file and its upgrading method

Country Status (2)

Country Link
JP (1) JP4953247B2 (en)
CN (1) CN100485700C (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101685486B (en) 2008-09-23 2011-12-07 联想(北京)有限公司 Multi-engine antivirus antivirus methods and systems
CN101727548B (en) 2008-10-27 2012-12-19 联想(北京)有限公司 Computer safety monitoring system and method, and comprehensive deciding device
CN101872400B (en) 2009-04-24 2012-10-17 北京中天安泰信息科技有限公司 Method for establishing computer information security protection capable of judging security of computer operation request according to associative relation of computing system operation request
US8863282B2 (en) 2009-10-15 2014-10-14 Mcafee Inc. Detecting and responding to malware using link files
CN102467620A (en) * 2010-11-08 2012-05-23 腾讯科技(深圳)有限公司 Method for displaying security state of antivirus software
CN102004877B (en) * 2010-11-19 2013-01-23 珠海市君天电子科技有限公司 Method for monitoring source of computer virus
CN102194073B (en) * 2011-06-03 2014-11-26 奇智软件(北京)有限公司 Scanning method and device of antivirus software
CN102194072B (en) * 2011-06-03 2012-11-14 奇智软件(北京)有限公司 Method, device and system used for handling computer virus
US8943595B2 (en) 2011-07-15 2015-01-27 International Business Machines Corporation Granular virus detection
CN104348660A (en) * 2013-08-08 2015-02-11 华为技术有限公司 Method and device for updating detection engine in firewall equipment
CN105184165A (en) * 2015-09-14 2015-12-23 博彦科技股份有限公司 Anti-virus process scheduling method for network attached storage system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1350230A (en) 2001-12-03 2002-05-22 复旦大学 Active virus library distribution system
CN1581088A (en) 2003-08-06 2005-02-16 华为技术有限公司 Method and device for preventing computer virus

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07295804A (en) * 1994-04-25 1995-11-10 Sharp Corp Computer virus retrieving device
JP3381055B2 (en) * 1997-01-27 2003-02-24 裕典 若山 Intrusion prevention method of viral, and viral intrusion prevention mechanism
JP2005535003A (en) * 2001-11-19 2005-11-17 セルフ リペアリング コンピューターズ インコーポレイテッド Computer systems capable of supporting multiple independent computing environments
JP2004094723A (en) * 2002-09-02 2004-03-25 Nec Fielding Ltd Firewall use system, firewall using method, and firewall use program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1350230A (en) 2001-12-03 2002-05-22 复旦大学 Active virus library distribution system
CN1581088A (en) 2003-08-06 2005-02-16 华为技术有限公司 Method and device for preventing computer virus

Also Published As

Publication number Publication date Type
CN101122934A (en) 2008-02-13 application
JP4953247B2 (en) 2012-06-13 grant
JP2008047123A (en) 2008-02-28 application

Similar Documents

Publication Publication Date Title
Lu et al. Blade: an attack-agnostic approach for preventing drive-by malware infections
Falliere et al. W32. stuxnet dossier
US7085934B1 (en) Method and system for limiting processor utilization by a virus scanner
US8510596B1 (en) System and methods for run time detection and correction of memory corruption
US7784098B1 (en) Snapshot and restore technique for computer system recovery
US20070056035A1 (en) Methods and systems for detection of forged computer files
US20090199297A1 (en) Thread scanning and patching to disable injected malware threats
Kolbitsch et al. Effective and Efficient Malware Detection at the End Host.
US20120255014A1 (en) System and method for below-operating system repair of related malware-infected threads and resources
Lanzi et al. K-Tracer: A System for Extracting Kernel Malware Behavior.
US20100031361A1 (en) Fixing Computer Files Infected by Virus and Other Malware
Cox et al. A safety-oriented platform for web applications
Moser et al. Exploring multiple execution paths for malware analysis
US7409719B2 (en) Computer security management, such as in a virtual machine or hardened operating system
US20090125902A1 (en) On-demand disposable virtual work system
US7571482B2 (en) Automated rootkit detector
Wang et al. Detecting stealth software with strider ghostbuster
US7802300B1 (en) Method and apparatus for detecting and removing kernel rootkits
US20110083176A1 (en) Asynchronous processing of events for malware detection
US20100037317A1 (en) Mehtod and system for security monitoring of the interface between a browser and an external browser module
US7640586B1 (en) Reducing HTTP malware scanner latency using HTTP range queries for random access
US20080127114A1 (en) Framework for stealth dynamic coarse and fine-grained malware analysis
US20070150956A1 (en) Real time lockdown
Srinivasan et al. Process out-grafting: an efficient out-of-vm approach for fine-grained process execution monitoring
US20120266243A1 (en) Emulation for malware detection

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted
C56 Change in the name or address of the patentee

Owner name: ZHUHAI KING SOFT CO.,LTD.

Free format text: FORMER NAME: ZHUHAI JINSHAN SOFTWARE CO. LTD.

C41 Transfer of the right of patent application or the patent right
ASS Succession or assignment of patent right

Owner name: KINGSOFT CORPORATION LIMITED

Free format text: FORMER OWNER: ZHUHAI KINGSOFT SOFTWARE CO., LTD.

Effective date: 20140904

COR Bibliographic change or correction in the description

Free format text: CORRECT: ADDRESS; FROM: 519015 ZHUHAI, GUANGDONG PROVINCE TO: 100085 HAIDIAN, BEIJING

LICC Enforcement, change and cancellation of record of contracts on the license for exploitation of a patent