CN100524211C - Update system and method for updating a scanning subsystem in a mobile communication framework - Google Patents

Update system and method for updating a scanning subsystem in a mobile communication framework Download PDF

Info

Publication number
CN100524211C
CN100524211C CNB2004800169936A CN200480016993A CN100524211C CN 100524211 C CN100524211 C CN 100524211C CN B2004800169936 A CNB2004800169936 A CN B2004800169936A CN 200480016993 A CN200480016993 A CN 200480016993A CN 100524211 C CN100524211 C CN 100524211C
Authority
CN
China
Prior art keywords
renewal
mobile communication
scanning subsystem
communication equipment
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2004800169936A
Other languages
Chinese (zh)
Other versions
CN1981263A (en
Inventor
维克托·古内索夫
达维德·利本齐
迈克尔·C·帕克
浦川安孝
石井宪司
藤田正德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mike Non Ltd.
NTT Docomo Inc
Original Assignee
NTT Docomo Inc
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NTT Docomo Inc, McAfee LLC filed Critical NTT Docomo Inc
Publication of CN1981263A publication Critical patent/CN1981263A/en
Application granted granted Critical
Publication of CN100524211C publication Critical patent/CN100524211C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Abstract

A system, method and computer program product are provided for efficiently updating a scanning subsystem of a mobile communication device. Initially received is a first portion of an update adapted for updating a scanning subsystem of a mobile communication device. Further, more portions of the update are received in addition to the receipt of the first portion of the update. The update is then installed with the scanning subsystem.

Description

In mobile communication framework, be used to upgrade the update system and the method for scanning subsystem
Technical field
The present invention relates to the security fields of mobile communication equipment, specifically, is with the detecting Malware about the scanning mobile communication equipment.
Background technology
In the past ten years, the number of mobile honeycomb phone increases rapidly with use.The a recent period of time, introduced wireless device, it can combine mobile phone with the function of PDA(Personal Digital Assistant).Can estimate that in following a period of time, along with novel cellular telecommunication standard (for example: GPRS, UMTS and WAP) makes the high speed data transfer of striding on the radio interface become possibility, this field will experience staggering growth.
Can estimate that radio communication platform might be subjected to so-called Malware (malware), as virus, Trojan Horse, computer worm (hereinafter being referred to as ' virus '), and the invasion and attack of other interference/harmful content; Its infringement mode is with personal computer and the suffered infringement mode of workstation are roughly the same now.In fact there has been multiple mobile phone virus to be identified.
For resisting the attack of virus, must arrange on mobile platform anti-virus software is installed that the arrangement of its mode and desktop PC environment is roughly the same.Multiple different desktop anti-virus application software is now come out.The major part of these application software relies on a kind of basic scanning engine, and it can seek whether there is predetermined virus signature in the suspicious archives.These signatures are stored in the database, must often upgrade it, to reflect the Virus Info of up-to-date identification.
In general, users can be at set intervals download to replace by the Internet, from the Email that receives or from a CD and floppy disk and use database.Users also need update software engine often, so that utilize up-to-date viral detection techniques when finding newtype viral.
The mobile wireless platform has brought a series of problem for software developers' (comprising the anti-virus software developer).Mainly the processing power of limited internal memory and mobile platform in these problems, and the limited input/output capabilities that they had (for example, no CD drives or floppy drive, the fixed-line network of no high bandwidth or Internet connection).Unfortunately, the renewal work that makes all carry out mobile communication equipment of this shortcoming becomes and is difficult to carry out.
Summary of the invention
The invention provides a kind of system, method and computer program product that can effectively upgrade the scanning subsystem in the mobile communication equipment.What at first receive is the first's refresh routine that is used to upgrade the scanning subsystem of a mobile communication equipment.Afterwards, except receiving first's renewal, can also receive more more new portion.This refresh routine just is installed in this scanning subsystem then.
In one embodiment, can determine whether refresh routine has integrality.Correspondingly, according to the integrality of this renewal, this refresh routine can be installed on scanning subsystem conditionally.
As a kind of selection, the integrality of renewal can decide by using a signature.This signature can receive (such as last part) by certain part of upgrading.Afterwards, this signature and another can be compared by the signature that each part of utilizing renewal generates.
For adapting to intrinsic finite bandwidth problem in the mobile communication framework, the part of refresh routine can minimize.In addition, can compress at some part of refresh routine.
In use, can determine whether first is empty.Thus, can whether determine to carry out reception with good conditionsi at the other parts of refresh routine based on first for empty.Equally, this feature is also helpful for solving finite bandwidth reception problem intrinsic in the mobile communication framework.
As a kind of selection, use the scanning of scanning subsystem when receiving refresh routine, to suspend.In addition, scanning can be proceeded after refresh routine is installed in the scanning subsystem.
In the another one example, the form of each part of refresh routine can be carried out particular design, make it can adapt to the intrinsic band-limited problem of mobile communication framework.For example, each part of refresh routine can comprise a header file.This header file can indicate the identification code of part that is associated with refresh routine, a segment length partly etc. is associated with refresh routine.
In the another one example, can send update request by mobile communication equipment.This renewal can be sent request by the mobile communication equipment that has a request data structure.This data structure can optionally comprise several variablees, a uniform resource locator (URL) variable for example, a mobile communication identification code variable, an application programming interfaces version variable, a detecting logical variable, a signature version variable, and/or a part number variable.
Description of drawings
Fig. 1 is embodiment synoptic diagram of mobile communication framework;
Fig. 2 is another embodiment synoptic diagram of mobile communication framework;
Fig. 3 is the embodiment synoptic diagram of a framework being associated with a mobile communication equipment;
Fig. 4 is an embodiment synoptic diagram by the system of mobile communication equipment access security of use or content analysis function;
Fig. 5 is the embodiment according to an application server of system shown in Figure 4, by using the synoptic diagram of a mobile communication equipment access security or content analysis functional framework;
Fig. 6 is an embodiment who repeats the loading function storehouse according to system shown in Figure 4, by using the synoptic diagram of a mobile communication equipment access security or content analysis functional framework;
Fig. 7 is the synoptic diagram of an on-demand scanning system carrying out under system shown in Figure 4;
Fig. 8 is the embodiment synoptic diagram of a stepped relation of the various different assemblies of application programming interfaces (API), and it can be used for providing interface between mobile applications and a scanning subsystem;
Fig. 9 is a synoptic diagram that demonstration type function bank interface starts;
Figure 10 is the embodiment synoptic diagram of an exemplary format of the code function of makeing mistakes;
Figure 11 is the embodiment synoptic diagram of the call sequence of a scanning subsystem API;
Figure 12 is the embodiment synoptic diagram of the call sequence of an exemplary configuration API;
Figure 13 is the synoptic diagram of various exemplary scan-data type, and these data types can be delivered to scanning subsystem by an API by application program;
Figure 14 is an one exemplary embodiment synoptic diagram that comprises the position-domain variable of Malware seriousness sign and application program performance level;
Figure 15 is a figure hoist pennants, and this figure has set forth time that the utilization scanning subsystem scans as a mode that function changes by the institute of the variable among Figure 13 recognition data type;
Figure 16 is the embodiment synoptic diagram of an exemplary flow, and this flow process has been described the mode that this refresh routine is started by a user interface.
Figure 17 is the embodiment synoptic diagram that a scanning subsystem of a mobile communication equipment is carried out effective method for updating.
Embodiment
Fig. 1 is the embodiment synoptic diagram of a mobile communication framework 100.As shown in the figure, this framework comprises mobile communication equipment 102 and the back-end server 104 that can communicate by wireless network.Under the environment of current description, mobile communication equipment 102 can include (but are not limited to) cellular phone, wireless personal digital assistant (PDA), wireless Palm Pilots, wireless hand-held computer or any mobile device that other can communicate by wireless network.
In one embodiment, mobile communication equipment 102 can be equipped with one scan subsystem 105.This scanning subsystem 105 can comprise any can be stored in mobile communication equipment 102 or deposit in the subsystem of the scan-data among communicating.Certainly, this scanning can be the scanning of the scanning of visit formula, demand scanning or other any kinds.In addition, scanning may involve the content (being text, picture etc.) of above-mentioned data representative, and the scanning of the universal safety type that Malware is carried out or the like.
Still get back to Fig. 1, mobile communication equipment 102 can further be equipped with the display 106 that can describe a plurality of graphic user interfaces 108, and this display is through reequiping to be used to manage the various functions that comprise the above scan function.
During use, the display 106 of mobile communication equipment 102 is used for going up video data at a network (as the internet etc.).See also operation 1.In current use, the user can use display 106 to browse data on the disparate networks, specifically is to select link or anchor point to obtain data from network by back-end server 104.See also operation 2.Then, in operation 3, the data that scanning subsystem 105 is called and is obtained with scanning.
In current embodiment, scanning subsystem 105 demonstrates and finds and operate the relevant Malware of fetched data in 4.At this moment, provide an option to a user, promptly interrupted this time obtaining and/or use/visit these data and ignore the Malware that is identified, as operated shown in 5 by display 106.Based on the decision of operation in 5, user's meeting or can not become once the object of ' attack ', as operate shown in 6.
Fig. 2 is based on the synoptic diagram of the mobile communication framework 200 of another embodiment.This mobile communication framework 200 is similar to mobile communication framework shown in Figure 1 100, and just mobile communication equipment mode that the identification of Malware in the fetched data is reacted is different.
Particularly, only offer option of user in the operation 5.That is, the user can only close any be found the relevant dialogue of data that comprises Malware.
Fig. 3 has shown the framework that is associated with mobile communication equipment 300 based on an embodiment.Current framework 300 can be contained in the mobile communication equipment of Fig. 1 and Fig. 2.Certainly, framework 300 can be carried out in any required occasion.
As shown in the figure, current framework 300 can comprise a plurality of mobile applications 302.Under the situation of current description, mobile applications 302 can comprise any application program in the mobile communication equipment or software etc. of being installed on, and is beneficial to carry out different tasks.Should also be noted that this application program 302 also can be installed among firmware, the hardware etc. by user's needs.
In another embodiment, application program 302 can be including but not limited to mail applications, and its task comprises managing email.In addition, this application program can comprise browser application, and its task comprises browse network.In addition, this application program can also comprise phone book application, and its task comprises a plurality of telephone numbers of management.As a kind of selection, this application program can comprise message application, and its task comprises message communicating.Should be noted that this application program can be any class row.For example, can be java application or other similar programs.
Continue to get back to Fig. 3, with the relevant function library 308 of scanning subsystem 304, scanning subsystem 304 communicates with application program 302 by first application programming interfaces (API) 306 and first.More exemplary information selected about first application programming interfaces 306 and first function library 308 will be further elaborated when will Fig. 4-12 be discussed hereinafter.
As a kind of selection, application program 302 can be carried out information communication with scanning subsystem 304, to make things convenient for the scanning work of scanning subsystem 304.This information can be with the data type that will scan, and relevant with the relevant arrangement of time of this type of scanning.More exemplary information of carrying out interaction with application program 302 with this kind ten thousand formulas about scanning subsystem 304 will be further elaborated when Figure 13-15 is discussed.
As shown in Figure 3, first function library 308 can comprise renewal manager 310, configuration manager 312 and a signature database 314.In use, this renewal manager 310 can be managed the process that signature database 314 upgrades the up-to-date signature of scanning usefulness.In one embodiment, the process of renewal can be simplified to adapt to the intrinsic band-limited problem of mobile communication framework.More will set forth in Figure 16-17 o'clock in discussion about the exemplary information of this renewal process.
An ingredient as framework among Fig. 3 300 further provides operating system 316 again, and this operating system installation is on mobile communication equipment and through reequiping to make things convenient for executive utility 302.In one embodiment, scanning subsystem 304 can be independent of platform, therefore can be carried out in any operating system/mobile communication equipment combination.
For adapting to this characteristic, second application programming interfaces 318 and second function library 320 have been arranged, it can support multiple function, for example system/function library initialization 322, the function 336 of makeing mistakes, Memory Allocation 334, I/O (I/O) 328, data grant 332, synchronous 330, advanced text transportation protocol 326, facility information 324, debugging 338 and other functions (be shared drive, system time, etc.).In one embodiment, second application programming interfaces 318 can be independent of platform, is similar to scanning subsystem 304.More exemplary details selected about second application programming interfaces 318 and second function library 320 will be further elaborated when annex A is discussed.
Fig. 4 has shown the system 400 based on an embodiment, and it is by using a mobile communication equipment with access security or content analysis function.In an example, current system 400 can carry out under application program, scanning subsystem and operating system environment in the framework 300 of Fig. 3.But should be noted that current system 400 can be carried out under any required environment.
As shown in the figure, comprised the operating system that is installed on a mobile communication equipment 402 that can communicate by wireless network here.The application program 404 that is installed on mobile communication equipment also is provided in addition, and it is carried out and is finished various tasks by using operating system 402.
Scanning subsystem 406 keeps communicating with application program 404 by application programming interfaces and a correlation function storehouse (referring to first application programming interfaces 306 and first function library 308 among Fig. 3).This scanning subsystem 406 through repacking with access security or content analysis function, and application program 404 task of being carried out.In one embodiment, safety or content analysis are safety analysis.In another embodiment, safety or content analysis are content analysis.In addition, safety or content analysis can comprise on-demand virus scan and/or access type virus scan.
In use, safety or content analysis function can be applicable to the application data that is associated with 404 operation tasks of application program.Under the environment of current description, application data can comprise data or other the associated data that any being carried out by application program 404 of task is imported, handles, exported.
By application programming interfaces scanning subsystem 406 and application program 404 are closely united, can reduce managerial cost and code repetition rate.More exemplary information about these application programming interfaces and related function storehouse will be further elaborated when the chart of discussing after this.
Fig. 5 has shown by using the framework 500 of mobile communication equipment access security or content analysis function based on the application server of system among Fig. 4 400.Should be noted that current framework 500 can be carried out in any required environment.
As shown in the figure, scanning subsystem can comprise scanning sequence 502, and this scanning sequence communicates with application program 504 by the agreement (for example uItron message contacted system) of application programming interfaces 506 and an association.Application programming interfaces 506 can involve first assembly 508 that is associated with scanning sequence 502, and second assembly 510 that is associated with application program 504, and this can be further elaborated hereinafter.
To application programming interfaces 506 provide multiple different call 512 can comprise open call, data call and enclosed calling.In use, scanning sequence 502 can scan the application data 516 that the task of being moved with application program 504 is associated.
Figure 6 shows that one by using the framework 600 of mobile communication equipment in order to access security or content analysis function, this framework is consistent with the repetition load libraries example of system 400 among Fig. 4.Should be noted that current framework 600 can be carried out under any required environment.
As shown in the figure, scanning subsystem can comprise that is repeated a loading function storehouse 602.In use, scanning subsystem repeats loading function storehouse 602 and can be connected in application program 604 when operation.Thus, among application programming interfaces 606 each in can implanted a plurality of application programs 604.
Be similar to the framework 500 among previous Fig. 5, application programming interfaces 606 may relate to and multiplely different call 612, comprise open call, data call and enclosed calling.In use, repeat loading function storehouse 602 and can be used to scan the relevant application data of being moved with application program 604 616 of task.
Figure 7 shows that an on-demand scanning system 700 of in Fig. 4, carrying out under system's 400 environment.Should be noted that current system 700 can be carried out under any required environment.
On-demand scanning scans stored application data 702, to detect hostile content or code and to be removed after discovery.The user can start on-demand scanning by a user interface 703.In addition, each application program 704 can be called scanning subsystem 706 to move at being stored in the scanning that object carries out in the correspondence memory.
On the other hand, on-demand scanning provided the identification to malicious code or content before application program 704 processing or transformation applications data 702.Before scanning subsystem 706 detected malicious application data 702, on-demand scanning was transparent for the user.
Fig. 8 has shown the hierarchical system of the various different assemblies of application programming interfaces 800 based on an embodiment, is used between mobile applications and a scanning subsystem interface is provided.As a kind of selection, current application programming interfaces 800 can be in Fig. 4 be carried out under the environment of system 400.But should be noted that current application programming interfaces 800 can be carried out under any required environment.
As shown in Figure 8, the function of application programming interfaces comprises MdoScanOpen () 802, MDoScanClose () 804, MDoScanVersion () 806, reaches MDoScanData () 808.MoDoScanOpen () 802 and MDoScanClose () the 804th are used to create/open and close a scanning subsystem object instance.MDoScanVersion () 806 provides scanning subsystem and signature scheme versions of data information.MDoScanData () 808 operation content/data scanning and reports.Being included in scanning simultaneously has a MDoScanUpdate () 810 in the application programming interfaces, and it can provide malware signature database and detecting logical renewal.When MDoScanUpdate () 810 by once upgrade using institute when calling, function library will connect a long-range back-end server (referring to for example Fig. 1) and download up-to-date file (for example mdo.sdb and mdo.pd).
The scanning subsystem configuration is to reach by utilization MDoConfigOpen () 812, MDoConfigClose () 814, MDoConfigGet () 816 and MDoConfigSet () 818.In case a configuration handle obtains by calling current application programming interfaces 800, the various variablees that the application program of calling uses get and set provisioning API to dispose with inquiry and setting scanning subsystem.
What be contained in current application program interface 800 simultaneously is one and is called makeing mistakes of MDoGetLastError () 820 and obtains function.This function is used to obtain the information of makeing mistakes at last about having taken place.
Before making any API Calls, preferably in start-up time, MDoSystemInit () 825 is called with the setting of initialization function library environment.This function library has preserved that configuration is provided with, malicious software code detecting logic (as mdo.pd) and signature database (as mdo.sdb), and various built-in variables (as synchronous object, etc.), and it is deposited in fixing continuation storage location.
MDoLibraryOpen () 830 and MDoLibraryClose () 840 are used for the initialization function library.An application program can what its API Calls in office take place to call MDoLibraryOpen () 830 before, and application program can be called MDoLibraryClose () 840 before stopping.
Thereby application programming interfaces 800 can be supported various function by using different application programming interfaces assemblies, and scanning subsystem, scanning, configuration scanning subsystem are obtained, upgraded to for example system environments initialization, release status information, etc.More information about above-mentioned functions under application programming interfaces 800 environment will be set forth hereinafter.
System initialization
MDoSystemInit () 825 verifies and context initialization work at the data that are stored in particular permanent storage territory.The database of a malicious code/content signature scheme (being mdo.sdb), detecting logic (being mdo.pd), configuration setting and synchronization object can be stored in these storage territories.MDoSystemInit () 825 be called once before can the arbitrary function in api function being performed (promptly when starting).
Table #1 has illustrated the exemplary information about MDoSystemInit () 825.
Table #1
MDoSystemInit
Describe
Examine and the initialization system environmental information
Prototype
int?MDoSystemInit(void);
Parameter
Do not have
Rreturn value
As success then 0, otherwise be The zero code of makeing mistakes.
Function library interface API
Application programming interfaces 800 comprise a plurality of function library interface modules.The api interface instantiation can be reached by using MDoLibraryOpen () 830.The instantiation function library interface handle that uses this function and obtain can be used for API Calls thereafter.Before this application program termination, MDoLibraryClose () 840 can be called to discharge this handle.Fig. 9 has illustrated by using the exemplary function library interface initialization process 900 of MDoLibraryOpen () 830 and MDoLibraryClose () 840.
Table #2 has illustrated the exemplary information about MDoLibraryOpen () 830.
Table #2
MDoLibraryOpen
Describe
Initialization is also returned interface, api function storehouse handle
Prototype
MDOLIB_HANDLE?MDoLibraryOpen(void);
Parameter
Do not have
Rreturn value
As success, interface, return function storehouse handle then,
Otherwise be INVALID_MDOLIB_HANDLE.
Also can referring to
MDoLibraryClose()
Table #3 has illustrated the exemplary information about MDoLibraryClose () 840.
Table #3
MDoLibraryClose
Describe
Release is returned by MDoLibraryClose () function with an api function storehouse handle is associated is
The system resource
Prototype
void?MDoLibraryClose(MDOLIB_HANDLE?hLib);
Parameter
hLib
The function library handle that [in] returned by MDoLibraryOpen
Rreturn value
Do not have
Also can referring to
MDoLibraryOpen()
Make mistakes and obtain
In case successfully by MDoLibraryOpen () 830 initialization and instantiation, MDoGetLastError () 820 provides the information of makeing mistakes about the last time to function library to application program.
Table #4 has illustrated the exemplary information about MDoGetLastError () 820.
Table #4
MDoGetLastError
Describe
Return the value of makeing mistakes for the last time of the function library example of appointment
Prototype
MDoErrorCode?MDoGetLastError(MDOLIB_HANDLE?hLib);
Parameter
hLib
The function library handle that [in] returned by MDoLibraryOpen
Rreturn value
The MDoErrorCode data type can be defined as one 32 signless integer, and it not only comprises assembly but also comprise the code of makeing mistakes.Usually, the error message of obtaining may be set at the platform abstraction api layer.In view of this, MDoErrorCode form given herein is similar to by the defined AlErrorCode form of level of abstraction API (referring to annex A).Figure 10 has illustrated the exemplary format 1000 of a MDoErrorCode based on an embodiment.
Table #5 has illustrated the exemplary information about MDoGetLastError () 820.
Table #5
MDoErrorCode is defined as:
typedef?unsigned?long?MDoErrorCode;
Also can referring to
MDoLibraryOpen(),MDoScanOpenO,MDoScanData(),
MDoScanUpdate()
Exemplary computer code #1 is by calling the call sequence that a MDoGetLastError () 820 has illustrated a sample function storehouse.
Computer code #1
Figure C200480016993D00141
The code of makeing mistakes
The code of makeing mistakes by the MDoGetLastError820 report comprises two parts: the component code and the code of makeing mistakes.See also annex A to obtain more information.Table #6 has listed exemplary code and the corresponding component code of makeing mistakes.MDoGetLastError 820 also returns the code of makeing mistakes that is set in abstract function storehouse layer.Should be noted that following tabulation only for purposes of illustration, it should be interpreted as on any way, have restricted.
Table #6
Figure C200480016993D00161
Scanning subsystem API
Application programming interfaces 800 comprise a plurality of scanning subsystem assemblies.Scanning subsystem API assembly provides data/content scanning and signature update service.Comprising MDoScanOpen () 802, MDoScanClose () 804, MDoScanVersion () 806, MDoScanUpdate () 810, and MDoScanData () 808.MDoScanOpen () 802 is used for the scanning subsystem object-instantiated.MDoScanVersion () 806 provides scanning subsystem and signature database version information.MDoScanUpdate () 810 operation signature databases upgrade.MDoScanData () 808 operation malicious codes/content-data scanning.Figure 11 has illustrated scanning subsystem API Calls order 1100 based on an embodiment.
MdoScanOpen
Table #7 has illustrated the exemplary information about MDoScanOpen () 802.
Table #7
Describe
Return a scanning subsystem instance handle
Prototype
MDOSCAN_HANDLE?MDoScanOpen(MDOLIB_HANDLE?hLib)
Parameter
hLib
[in] function library handle by using MDoLibraryOpen () function to obtain
Rreturn value
As success, then return the scanning subsystem instance handle.
As make mistakes, then be INVALID_MDOSCAN_HANDLE.
Also can referring to
MDoScanClose(),MDoScanData(),MDoScanUpdate(),
MDoLibraryOpen()
MdoScanClose
Table #8 has illustrated the exemplary information about MDoScanClose () 804.
Table #8
Describe
Discharge scanning subsystem example and system associated resource
Prototype
void?MDoScanClose(MDOSCAN_HANDLE?hScan);
Parameter
hScan
[in] scanning subsystem handle by using MDoScanOpen () function to obtain
Rreturn value
Do not have
Also can referring to
MDoScanOpen(),MDoScanDa?ta(),MDoScanUpdate()
MdoScanVersion
Table #9 has illustrated the exemplary information about MdoScanVersion () 806.
Table #9
Describe
Obtain scanning subsystem and signature version from a scanner handle that returns by MDoScanOpen () function
This information
Prototype
int?MDoScanVersion(MDOSCAN_HANDLE?hScan,
SVerlnfo*?pVers?ion);
Parameter
hScan
[in] scanning subsystem handle by using MDoScanOpen () function to obtain.
pVersion
[out] points to a pointer that comprises the version information structure
Rreturn value
Then return 0 as success, otherwise be-1.
Also can referring to
MDoScanOpen(),MDoScanClose(),MDoScanData(),
MDoScanUpdate()
Exemplary computer code #2 illustrates a sample version information structure.
Computer code #2
Figure C200480016993D00191
The mobile communication equipment identification string of being reported by MdoScanVersion () 806 is (referring to the annex A) that sets by by the use recognition of devices character string that AlDevGetInfo returned.
MdoScanData
Table #10 has illustrated the exemplary information about MDoScanData () 808.
Table #10
Describe
MDoScanData will be called to scan a specific data type from an application program.Invokes application has been specified action, scanning target type, an I/O function and washability call back function that overlaps in order to visit data of scanning.The result of data scanning is returned with the data structure that a call function provides.MDoScanData repeats to load.
Prototype
int?MDoScanData(MDOSCAN_HANDLE?hScan,
SScanParam*?pParam,
SScanResult*?pResult);
Parameter
hScan
The scanning subsystem handle that [in] obtains from once calling MDoScanOpen () function
pParam
[in] points to a pointer that comprises the structure of data scanning parameter
pResult
[out] points to a pointer that comprises data scanning result's structure
Rreturn value
As the success then return 0, otherwise for-1 and also the code of makeing mistakes be set
Also can reference
MDoScanOpen(),MDoScanClose(),MDoScanVersion(),
MDoScanUpdate()
MdoScanUDdate
Table #11 has illustrated the exemplary information about MDoScanUpdate () 810.
Table #11
Describe
Operation malicious code/content signature scheme database (mdo.sdb) and detecting logic (mdo.pd) are upgraded.
Prototype
int?MDoScanUpdate(MDOSCAN_HANDLE?hScan,
SUpdat?eParam* pParam);
Parameter
hScan
[in] scanning handle by using MDoScanOpen () function to obtain
pParam
[in] points to the pointer of a undated parameter structure, and this structure comprises one and is used to upgrade and cancels/abandon and call back function pointer that process status is upgraded
Exemplary computer code #3 has illustrated the mode that the undated parameter structure is defined
Computer code #3
Figure C200480016993D00211
Invokes application can be set function pointer and will pass to the data of function in call function.Please note table #12.
Table #12
Readjustment reason (iReason) Describe
MDO_UCB_STATUS Carry out the state that readjustment upgrades with report.PParam points to the SStatus structure.SStatus.iCurrent comprises the amount of the data of receiving, and iTotal is the size of unit report update all data with the byte.
MDO_UCB_CANCEL Carry out readjustment to distinguish that whether upgrading cancellation is set.PParam points to NULL.
Join arm API
Application programming interfaces 800 comprise a plurality of configuration components.Comprise a function that cover is used to obtain and the invisible scanning subsystem is set.A target of these functions is configuration accesss working time that concentrated is provided to application program and scanning subsystem.Its configuration data is stored in the non-volatile data storing of ideotype forever body (as flash memory, etc.).
Figure 12 has illustrated an exemplary configuration API Calls order 1200 based on an embodiment.As shown in the figure, MDoConfigOpen () 830 returns a handle, and this handle will be passed to configuration and obtain and the function of appointment.MDoConfigClose () 814 is used to discharge and close the configuration ten days handle that is returned by MDoConfigOpen () 812.Particular value of MDoConfigSet () 818 usefulness has been set a specific configuration variables, and MDoConfigGet () 816 is that the variable of an appointment returns a Configuration Values.Before MDoConfigClose () 814 was called, the configuration variables setting that is limited by MDoConfSet () 818 might not be stored in the permanent storage body.
When access and/or when specifying a variate-value, application program can be called configuration and open, obtains or set, and exists side by side to be engraved in to add thereafter to close function.
The configuration variables that uses application programming interfaces 800 configuration components and specify/obtain and value can in order to idle character (' 0 ') character string of 8 characters ending up represents.Table #13 has listed existing various configuration variables.
Table #13
Figure C200480016993D00221
Figure C200480016993D00231
MdoConfigOpen
Table #14 has illustrated the exemplary information about MDoConfigOpen () 812.
Table #14
Describe
Return handle to a configuration settings, what then it is passed to the back calls MDoConfigGet () and MDoConfigSet ().
Prototype
MDOCONFIG_HANDLE?MDoConfigOpen(MDOLIB_HANDLE?hLib);
Parameter
hLib
[in] function library handle by using MDoLibraryOpen () function to obtain
Rreturn value
Then return the configuration handle as success.
As make mistakes and then return INVALID_MDOCONPIG_HANDLE.
Also can referring to
MDoConfigClose(),MDoConfigSet(),MDoConfigGet()
MdoConfigClose
Table #15 has illustrated the exemplary information about MDoConfigClose () 814.
Table #15
Describe
Free system resources is also closed the configuration handle
Prototype
void?MDoConfigClose(MDOCONFIG_HANDLE?hConfig);
Parameter
hConfig
The configuration handle that [in] returned by MDoConfigOpen () function
Rreturn value
Do not have
Also can referring to
MDoConfigOpen(),MDoConfigSet(),MDoConfigGet()
MdoConfigGet
Table #16 has illustrated the exemplary information about MDoConfigGet () 816.
Table #16
Describe
Configuration Values of configuration variables acquisition for appointment
Prototype
int?MDoConfigGet(MDOCONFIG_HANDLE?hConfig
char?const* pszName,
char* pBuffer,
unsigned?int uSize);
Parameter
hConfig
The configuration handle that [in] returned by MDoConfigOpen () function
pszName
The configuration variables title that [in] stops with NULL-
pBuffer
[out] cooperates the configuration settings/value with the NULL-termination of specified variable
uSize
The pBuffer length that [in] calculates with byte
Rreturn value
Successful then return 0, otherwise be-1.
Also can referring to
MDoConfigOpen(),MDoConf?igClose(),MDoConf?igSet()
MdoConfigSet
Table #17 has illustrated the exemplary information about MDoConfigSet () 818.
Table #17
Describe
For the configuration variables of appointment is set a value
Prototype
int?MDoConfigGet(MDOCONFIG_HANDLE?hConfig
char?const* pszName,
char?const* pszValue);
Parameter
hConfig
The configuration handle that [in] returned by MDoConf igOpen () function
pszName
[in] is with the configuration variables title of NULL-termination
pszValue
[int] cooperates the new configuration settings/value with the NULL-termination of specified variable
Rreturn value
Then return 0 as success, otherwise be-1
Also can referring to
MDoConfigOpen(),MDoConfigClose(),MDoConfigGet()
Application program/scanning subsystem communication for ease of scanning
As previously mentioned, application program can be carried out information communication with scanning subsystem and scanned to make things convenient for scanning subsystem.This communication can obtain facility by API described above.Above-mentioned information can be relevant with data type that is scanned and the arrangement of time that is associated with this type of scanning.More descriptions of reaching this result mode about above-mentioned API will be set forth hereinafter.
Sweep parameter (SscanParam)
Invokes application can provide a sweep parameter to scanning subsystem by using the SScanParam structure.The information that is contained in sweep parameter provides to scanning subsystem:
1) type of action of scanning subsystem (for example iAction),
2) the scan-data type (for example need the type of the application data that scans-iDataType),
3) point to the data pointer (for example pPrivate) that scans target,
4) obtain the function (for example pfGetSize) of size of data (is unit with the byte),
5) function of replacement scan-data size (for example pfSetSize),
6) scanning subsystem is used to obtain the function (for example pfRead) of a scan-data piece,
6) be used for the function (for example pfWrite) that writes to scan-data, and
7) call back function (for example pfCallBack) of scanning subsystem state/process report.
Exemplary computer code #4 has illustrated the structure of a data sweep parameter.
Computer code #4
Figure C200480016993D00261
Scanning motion (iAction)
Scanning motion has been specified the type of the scanning that will move on the application data that is provided.Table #18 has illustrated various exemplary scanning motion.
Table #18
Scanning motion ID Describe
MDO_SA_SCAN_ONLY The malicious code that scanning subsystem operation scanning and report are found.Do not carry out any reparation.
MDO_SA_SCAN_REPAIR After operation scanning, the object that comprises malicious code will be repaired.
Scan-data type (iDataType)
Invokes application can be by using this variable to scanning subsystem notice application data type and form.
Figure 13 has illustrated various example use data type 1300, and application program can transmit by API it to scanning subsystem.The form of Url-character string can meet uniform resource locator (RFC1738) specification.The form of Email-character string can meet internet email address format (RFC822) specification.Default territory can be set to any required territory.In addition, the telephone number character string can comprise numerical character ' 0 ' to ' 9 ', and ' # ' with ' * ' character.
Scan-data pointer/handle (pPrivate)
A pointer (or handle) that points to an application scanning object can be provided in addition.Scanning subsystem might not use this data pointer/handle to move direct internal memory I/O.Data pointer/handle is transmitted adjusts back with function to carry out read/write by the specified I/O function of use call function.
Scan-data size (pfGetSize)
Current function is used for obtaining from invokes application the size (is unit with the byte) of scanning target data by scanning subsystem.
Scan-data is adjusted size (pfSetSize)
This function is used for application data to the given size (is unit with the byte) that the adjustment of request call application program is repaired/cleans by scanning subsystem.This function can use simultaneously with scanning and reparation/deletion option.
Scan-data function reading (pfRead)
This instant function can be used by scanning subsystem, is used for reading from invokes application the application data of a specified amount.
Scan-data writes function (pfWrite)
This is an optional parameter, can be used by scanning subsystem, is used for writing the application data of a specified amount with the part as repair process to sweep object.Be set to reparation or deletion as scanning motion, then this function pointer can be set.
Call back function (pfCallBack)
As designated, scanning subsystem calls this specified function by described information in the following form.If what return is a negative rreturn value, then call back function is abandoned scanning process.Table #19 has set forth an exemplary callback code tabulation.
Table #19
Readjustment reason ID Describe
MDO_CB_DETECTED In sweep object, detected a malicious code to the invokes application notice.The callback data parameter ' arg ' is set to and points to the SCBArg structure.
MDO_CB_CLEAN_READY The Malware that is identified to the invokes application notice can be eliminated/repair.The callback data parameter ' varg ' is set to and points to the SCBArg structure.
Exemplary computer code #5 has illustrated the readjustment structure of a scanning subsystem.
Computer code #5
Figure C200480016993D00281
Scanning result (SScanResulf)
The result of object scan, the Malware information that is promptly detected the SScanResult structure that is provided by invokes application is provided is returned to invokes application.This SScanResult structure comprises one and points to a pointer that comprises the scanning result message structure, and one is pointed to a pointer that is used to remove the scanning result resource function.The internal memory that is used to deposit scanning result is distributed by scanning subsystem, and is discharged by calling pfDeleteResult pointer function pointed.
Exemplary computer code #6 has illustrated a sample call sequence.
Computer code #6
Figure C200480016993D00291
Exemplary computer code #7 has illustrated a malicious code/content information structure that quilt detects.
Computer code #7
Figure C200480016993D00292
Exemplary computer code #8 has illustrated a scanning result structure.
Computer code #8
Figure C200480016993D00302
Seriousness grade and behavior rank (uBehavior)
Figure 14 is based on an one exemplary embodiment, and it has shown to be included in contains Malware severity sign and other position-domain variable 1400 of application behavior level in the SDetect structure.
Table #20 has set forth the seriousness rank tabulation of an exemplary Malware.
Table #20
The severity sign Describe
MDO_SC_USER The Malware that is detected is harmful to the user.
MDO_SC_TERMINAL The Malware that is detected is harmful to equipment.
As the application data that was scanned comprises the Malware harmful to mobile communication device user, and then scanning subsystem is set the MDO_SC_USER sign.If harmful to mobile communication equipment itself, the MDO_SC_TERMINAL sign is set.If it all is harmful to user and mobile communication equipment, then MDO_SC_USER and MDO_SC_TERMINAL sign all is set.
The application behavior rank has specified to take which type of measure to detecting the application data that comprises Malware.Table #21 has listed the corresponding action that other various values of behavioral scaling and application program are taked.
Table #21
The behavior rank Describe
MDO_BC_LEVELO Handled with warning.This seriousness rank can be assigned to the data that before had been considered to malice.
MDO_BC_LEVEL1 Before processing, point out the user.He wishes that application program handles this data to the inquiry user.
MDO_BC_LEVEL2 Do not handle these data.
MDO_BC_LEVEL3 Not handling these data does not point out the user to remove.If content is stored in the equipment, the prompting user permits before removing.
MDO_BC_LEVEL4 Do not handle these data, it is removed automatically if be stored.
Find a plurality of malicious codes in the data that are being scanned, the invokes application expection will be made a response with the behavior rank of highest level.For example, if MDO_BC_LEVELO and MDO_BC_LEVEL3 are reported that application program can be taked the action of MDO_BC_LEVEL3.
Figure 15 has illustrated a chart 1500, has illustrated the mode that function change of scanning arrangement on the opportunity conduct of scanning subsystem by the identified data type of each variable of Figure 13.
Signature database upgrades
As previously mentioned, renewal process can be simplified, to adapt to the intrinsic finite bandwidth of mobile communication framework.Manyly will set forth hereinafter about the various different modes that can reach effect like this.
The assembly that is updated
The MDoScanUpdate function is along with update service provides two assemblies [for example malicious code detecting logic (mdo.pd) and signature database (mdo.sdb)].An assembly (for example mdo.pd) can comprise the detecting logic and be upgraded fully when the version of a renewal occurs.Another assembly (for example mdo.sdb) can progressively upgrade up to n previous versions.Once upgrading fully of second assembly can more be moved on the mobile communication equipment of older version having than n.For example, if n is set to 5, and latest edition is 20, can more carry out once complete renewal on the mobile communication equipment of older version at a ratio 15 so.
Activate by user interface
Figure 16 has illustrated an exemplary flow process 1600 based on an embodiment, and it has described the update mode that is started by a user interface.As shown in the figure, the renewal of virus code can select a menu input to start by a user interface 1602 by mobile communication device user.In case the user has selected this renewal menu, a renewal application program 1604 is activated, and is connected to a back-end server by suitable renewal interface function 1606.
Communication protocol
The renewal function storehouse can communicate by http protocol and back-end server.
Renewal process
Figure 17 is based on an embodiment, and it has illustrated a method 1700 of a scanning subsystem that is used for upgrading effectively a mobile communication equipment.In one embodiment, current approach 1700 can be carried out in application program, scanning subsystem and operating system in the framework 300 of Fig. 3 and the system among Fig. 1 and 2.But should be noted that current approach 1700 can be carried out in any required environment.
Want this process of initialization, can send a update request to a back-end server from least one mobile communication equipment.Certainly, in other example, renewal can send without request.
In one embodiment, renewal can be asked by using a request data structure by mobile communication equipment.This data structure can also optionally comprise variablees such as uniform resource locator (URL) variable, mobile communication identification variable, application programming interfaces version variable, detecting logical variable, signature version variable and/or part number variable.
Table #22 has illustrated an exemplary URL that can be used for this purpose.
Table #22
<BASE-URL>?dev=<DEV-ID>&mdo=<MDO-VER>&eng=<ENG-
VER>&sdb=<SDB-VER>&chk=<CHUNK>
Below be a form of describing above-mentioned URL variable:
Variable Describe
<BASE-URL> The server URL (referring to 0 part) of renewal by using the MDoConfigGet function to obtain
<DEV-ID> The mobile communication equipment identification code; Return by the AlDevGetInfo function
<MDO-VER> MDo API version
<ENG-VER> The detecting logic, mdo.pd, version
<SDB-VER> Signature database, mdo.sdb, version
<CHUNK> The update software enclosed mass, or the part, number; Be initially 1 (=1)
Table #23 has illustrated a particular example that meets the URL of foregoing description.
Table #23
http://update.mcafeeacsa.com/504i?dev=X504i05&mdo=2&eng=3&sdb=56&chk=1
More than the URL of table #23 has specified substantially-URL " http://update.mcafeeacsa.com/504i ", and " X504i05 " is EIC equipment identification code, API version 2, malicious code detecting logical versions 3, and signature database version 56.Should be noted that when mobile communication equipment is got in touch with back-end server at first its " data block " or part, number can be set at 1.In addition, basic-URL can be by allowing MDoConfigGet API use " UpdateURL " configuration variables to obtain.
After the request of receiving, malicious code detecting logic and signature database version coexist the version information that in URL coding deposit of back-end server by will having stored compared, thereby determines which update package to be downloaded.
If do not need to upgrade, the response of a no content can be returned in the rear end.In operation 1701, mobile communication equipment has been received the response as first.If decision first comprises above-mentioned no content response (referring to determining 1702), method 1700 is ended, and this is not need to download because upgrade.Intrinsic finite bandwidth is useful to this feature in the mobile communication framework to adapting to.
On the other hand, if first part of a update package is returned, method 1700 will (perhaps possible is with it simultaneously) continue to receive the other parts of upgrading after receiving the first of renewal.Please note operation 1704-1708.Should notice that first can be accompanied by the count information of the size and the part of whole bag.
When downloading remaining more new portion, can the part number of institute's download URL be limited.Table #24 has illustrated the particular example of the URL of a specified portions number " 3 ".
Table #24
http://update.mcafeeacsa.com/504i?dev=X504i05&mdo=2&eng=3&sdb=56&chk=3
In one embodiment, can determine the integrality upgraded.Correspondingly, be verified whether on the basis of the integrality of upgrading, can be conditionally with update contruction in scanning subsystem.
As a kind of selection, the integrality of renewal can be determined by using a signature.This signature can receive (i.e. decline) together with a part of upgrading.Afterwards, this signature can be compared with another signature that uses each part generation of upgrading.Please note operation 1710.
In one embodiment, signature can generate and use on mobile communication equipment a corresponding PKI that is contained in upgrading to authenticate by a RSA private key.Signature verification and generation can be done further to move by using a specific verification function storehouse.
Assumption of complete is verified, and any scanning meeting by the scanning subsystem operation is paused or ends.Please note operation 1712.Should notice that this pause is selectable.
Next, can be with update contruction in scanning subsystem.Please note operation 1714.The place that any scanning is paused in example is installed in scanning subsystem in case upgrade, and can continue afterwards to use scanning subsystem to scan.Referring to operation 1716.
For adapting to intrinsic finite bandwidth in the mobile communication framework, the size of some part of renewal can minimize.In addition, can compress the part of upgrading.
In another embodiment, can with each more the format design of new portion for can adapt to finite bandwidth intrinsic in the mobile communication framework.More information about this type of form will be set forth hereinafter.
Table #25 has illustrated the exemplary format of a down loading updating each several part.
Table #25
Figure C200480016993D00351
Each part of the above-mentioned part of listing in table #25 is defined as follows in table #26.
Table #26
X-ContentLength:<part-length>\r\n? X-ContentName:<part-name>\r\n X-Name:<component-name>\r\n X-Version:<component-version>\r\n \r\n [part-data:part-length?bytes]
Each part is made up of a file header and data.File header can indicate the segment length or the like of relevant portion of an identification code, the renewal of the relevant portion of renewal.In addition, file header can be specified data name and the length that comprises, and with an extra CR+LF to it is separated mutually with real data.Table #27 has listed the title of the exemplary data/content that is associated with file header.
Table #27
Component Name Describe
″pd″ The detecting logic
″sdb″ Signature database upgrades
Table #28 has illustrated an exemplary update package.
Table #28
Figure C200480016993D00361
Abstract function storehouse API
As previously mentioned, provide system's and related methods that is independent of platform to be used for a mobile communication equipment.It comprises that one is independent of the scanning subsystem of platform, can communicate with the operating system of the mobile communication equipment that is used to scan.Application programming interfaces that are independent of platform also are provided in addition, have helped for the interface is provided between operating system and the scanning subsystem.The application programming interfaces that are independent of platform have comprised an abstract function storehouse, and the scanning subsystem that is used for being independent of platform is docked with mobile communication equipment and associated operating system.
By this design, scanning subsystem can be independent of platform, and can be carried out in the combination of the operating system/mobile communication equipment of any kind thus.
In one embodiment, the abstract function storehouse can the back-up system initialization, function library initialization, the function of makeing mistakes, Memory Allocation, I/O (I/O), data authentication, synchronously, HTML (Hypertext Markup Language), shared drive, system time, facility information and debugging.More about above-mentioned application programming interfaces one can select the exemplary information of example to set forth in annex A.
Though above described different embodiment, to understand easily, they only are suggested by the form of example, and do not have restricted.Therefore, the application range of certain particular instance and scope should not limited by any exemplary embodiment described above, have the statement of equal effect to determine and should only reach according to claim with it.
Annex A
Current application programming interfaces (API) comprise following subsystem:
System initialization
The function library initialization
The function of makeing mistakes
Heap memory distributes
Indissolubility internal memory/storage body I/O
Data authentication
Synchronization object (beacon)
·HTTP?API
Shared drive
System time
Facility information
Debugging
Also described one in this annex and overlapped the C-language definition that is defined in abstract function storehouse (AL) layer, in the api function storehouse, using.
System initialization
The startup initialization that depends on platform/system is by AlLibrarySysInit () function operation.The design of this function can be called it from previous the MDoSystemlnit () function of describing.
AlLibrarySysInit
Describe
Operation depends on the initialization of system
Prototype
jnt?AlLibrarySysInit(void);
Parameter
Do not have
Rreturn value
Successful then return 0, otherwise be-1.
The function library initialization
Platform abstraction api function storehouse is initialised by using Al InitLibrary () function.Before an abstract api function was called, the abstract function storehouse just was initialised once.When AlCleanupLibrary () function was called, obtaining also by Al InitLibrary (), initialized system resource was released.
AlInitLibrary
Describe
The initialization of operation function library.This function will be by MDoLibraryOpen () function call.
Prototype
int?AlInitLibrary(void);
Parameter
Do not have
Rreturn value
Successful then return 0, otherwise be-1.
AlCleanupLibrary
Describe
The system resource that release is obtained by Al InitLibrary () function.This function will be by the MDoLibraryClose () function call of previous appointment.
Prototype
void?AlCleanupLibrary(void);
Parameter
Do not have
Rreturn value
Do not have
The function of makeing mistakes
The AL function library has comprised one and has overlapped the function of makeing mistakes, and this cover function is used to set and obtain the code of makeing mistakes of relevant particular task/thread.The level of abstraction implementor should be responsible for setting suitable make mistakes code and component code.
AlGetLastError
Describe
Return the code value of makeing mistakes at last of calling task/thread.Function is set the value of returning by using AlSetLastError () function.
The AlErrorCode data type is to use a 32-position not have the data type that value of symbol carries out internal representations.
Prototype
AlErrorCode?AlGetLastError(void);
Parameter
Do not have
Rreturn value
The value of makeing mistakes at last of invokes thread/task is set by using AlSetLastError () function to finish
AlSetLastError
Describe
Be invokes thread/task setting code of makeing mistakes at last
Prototype
void?AlSetLastError(AlErrorCode?errorCode);
Parameter
errorCode
[in] 32-code value of makeing mistakes the position
Rreturn value
Do not have
Make mistakes/state code
Figure C200480016993D00401
Figure C200480016993D00421
Above-mentioned form has been listed the cover AL assembly and the code of makeing mistakes.One is used makeing mistakes of AlSetLastError function report is the value of a 32-position that is formed with makeing mistakes code combination by component code.Be set in makeing mistakes of AL level and obtain, conveniently when makeing mistakes generation, to take suitable action by use MDoGetLastError function.
Heap memory distributes
Level of abstraction provides a heap memory to distribute API, dynamically distributes required internal memory with a convenient invokes application (for example " call function ").The internal memory that is assigned with is assumed to be and can shares in global scope, promptly can be by a plurality of application/task institute access.AlMemAlloc () provides the distribution of heap memory and cancellation to distribute with AlMemFree () api function.
Function Describe
void*?AlMemAlloc( unsigned int uSize) Distribute a Dram
void?AlMemFree( void?*ptr) Use AlMemAlloc to discharge the internal memory that is assigned with
AlMemAlloc
Describe
Distribute the Dram of a specified amount and return a pointer to this internal memory.The memory block that is assigned with can be directly by the access of call function (being invokes application) institute, and does not need a special operation (being EMS memory locked).
Prototype
void*AlMemAlloc(unsigned?int?uSize);
Parameter
uSize
[in] is with the amount of the need storage allocation of byte calculating
Rreturn value
A sensing is assigned with the pointer of internal memory.As ask failure or request size to be zero and return NULL.
Also can referring to
AlMemFree()
AlMemFree
Describe
The Dram piece that release is returned by AlMemAlloc () function
Prototype
void?AlMemFree(void*?pData);
Parameter
pData
[in] points to the pointer of a need releasing memory piece
Rreturn value
Do not have
Also can referring to
AlMemAlloc()
Persistent storage I/O
Persistent storage (for example: flash memory) undertaken by using a file I/O API by access.Vide infra:
Title Describe
AL_FILE_HANDLE?AlFi?leOpen( char const* pszFilename,int?iMode)? Open, then create if necessary, specific file also returns its handle
void?AlFileClose( AL_FILE_HANDLE_hFile) Close the file handle that returns by AlFileOpen ()
unsigned?int?AlFileSeek( AL_FILE_HANDLE_hFile) Reorientate the document misregistration amount
Unsigned?int?AlFileRead( AL_FILE_HANDLE?hFile, void*?pBuffer, unsigned?int?uSize) Read from a file handle
unsigned?int?AlFileWrite( AL_FILE_HANDLE?hFile,? void?const* pBuffer, unsigned?int?uSize) Write to a file handle
int?AlFileSetSize( AL_FILE_HANDLE?hFile, unsigned?int?uSize) Adjust file size
int?AlFileStat( char?const*?pszFilename, ALStatBuf*?pStat) Obtain fileinfo
File handle type AL_FILE_HANDLE is defined as:
typedef?struct?AL_FILE_HANDLE_struct
{
}*AL_FILE_HANDLE;
And one be used for specifying the constant of an invalid persistent storage handle INVALID_AL_FILE_HANDLE to be defined as:
#define?INVALID_AL_FILE_HANDLE((AL_FILE_HANDLE)0)
File status buffer zone type AlStatBuf is defined as
typedef?struct?AlStatBuf_struct
{
unsigned?long?ulsize;
unsigned?long?ulTime;
}AlStatBuf;
AlFileOpen
Describe
Open the file of appointment and return its handle.
Prototype
AL_FILE_HANDLE?AlFileOpen(const?char*?pszFilename,
int iMode);
Parameter
pszFilename
[in] filename/path string
iMode
[in] file access pattern
AL_OPEN_READ opens file for reading
AL_OPEN_WRITE opens file for reading and writing
Rreturn value
As successful then backspace file handle, otherwise be INVALID_AL_FILE_HANDLE.
Also can referring to
AlFileClose(),AlFileRead(),AlFileWrite()
AlFileClose
Describe
Close and release and specific file handle system associated resource
Prototype
void?AlFileClose(AL_FILE_HANDLE?hFile);
Parameter
hFile
The file handle that [in] returned by AlFileOpen ()
Rreturn value
Do not have
Also can referring to
AlFileOpen(),AlFileRead(),AlFileWrite()
AlFileSeek
Describe
Reorientate read/write document misregistration amount
Prototype
long?AlFileSeek(AL_FILE_HANDLE?hFile,
long lOffset,
int iWhence);
Parameter
hFile
[in] handle that opens file
lOffset
[in] and iWhence designator file associated side-play amount
iWhence
[in] initial position.Possible values has:
The AL_SEEK_SET offset parameter is specified the absolute file side-play amount.In other words, the skew that begins to locate from file
Amount.
MJ_SEEK_CUR specifies relative displacement-offset parameter inclined to one side from current file side-play amount specified file
The amount of moving.
AL_SEEK_END is from end of file specified file side-play amount.
Rreturn value
As successful then backspace file side-play amount, otherwise be-IL
Also can referring to
AlFileOpen(),AlFileClose(),AlFileRead(),AlFileWrite()
AlFileRead
Describe
Read a blocks of data from a file
Prototype
unsigned?int?AlFileRead(AL_FILE_HANDLE?hFile,
vo?id* pBuffer,
unsigned?int?uSize);
Parameter
hFile
[in] handle that opens file
pBuffer
[out] data buffer
uSize
[out] needs the amount of reading of data
Rreturn value
Then return the byte number that reads as success, otherwise be-1
Also can referring to
AlFileOpen(),AlFileClose(),AlFileSeek(),AlFileWrite()
AlFileWrite
Describe
Write a blocks of data to a file
Prototype
unsigned?int?AlFileWrite(AL_FILE_HANDLE?hFile,
void?const* pBuffer,
unsigned?int uSize);
Parameter
hFile
[in] one handle that opens file
pBuffer
[int] has the buffer zone that need write data
uSize
[out] need write the amount of data
Rreturn value
Then return the amount that writes data as success, otherwise be-1
Also can referring to
AlFileOpen(),AlFileClose(),AlFileSeek(),AlFileRead()
AlFileSetSize
Describe
The adjustment size that opens file.
For not supporting local file to adjust the platform of size, the abstract function storehouse is stored in the size information that each file begins to locate by qualification and carries out this function when AlFileClose () function is called.
Prototype
unsigned?int?AlFileSetSize(AL_FILE_HANDLE?hFile,
unsigned?int?uSize);
Parameter
hFile
[in] quotes a handle that opens file that has the pattern of writing
uSize
[out] is with the length of the new file of byte calculating
Rreturn value
Then return 0 as success, otherwise be-1
Also can referring to
AlFileStat()
AlFileStat
Describe
Obtaining file size and creation-time stabs.
For the platform that local file size and/or timestamp information acquisition methods are not provided, the abstract function storehouse by each file begin locate store information and carry out this function.
Prototype
int?AlFileStat(char?const*pszFilename,
AlStatBuf*pStat);
Parameter
pszFilename
[in] obtains the file name of information
pStat
[out] points to a pointer that is used to return size and timestamp information structure.This structure comprises following territory:
typedef?struct?AlStatBuf?struct
{
Unsigned long ulSize; The big or small * that/* calculates with byte/
Unsigned long ulTime; / * creation-time */
}AlStatBuf;
Rreturn value
Then return 0 as success, otherwise be-1
Data authentication
Platform abstraction API comprises that a cover is used for the function of verify data.Data authentication API is used to authenticate the signature database of the Malware of being downloaded.
In case call function has obtained an authentication object by using the AlDaOpen function, can make once AlDaVerify and calling, the data that provided to examine.
AlDaGetSignerlnfo () is used to obtain a signer information.AlDaClose () is used to close and discharges data authentication handle and relevant system resource.Below be an exemplary data authentication API
Function Describe
AL_DA_HANDLE AlDaOpen (const void* pSig, unsigned int uSigSize) From a signature/certificate that provides, obtain the data authentication handle
Void AlDaClose (AL_DA_HANDLE hHandle) Close data authentication handle by using AlDaOpen () to obtain
AlDaVerify (AL_DA_HANDLE hDA, and int (* pfRead) (void*, void *, int), void*pPrivate) The data authentication function.Call function provides a data acquisition methods by call back function
Int AlDaGetSignerlnfo (AL_DA_HANDLE hDA, DaSignerlnfo * pDSI) Obtain signer information
The data authentication handle that is returned by AlDaOpen () function is defined as
ALHANDLE(AL_DA_HANDLE);
#define?INVALID_AL_DA_HANDLE((AL_DA_HANDLE)0)
The signer message structure is defined as
#define?MAX_DA_SIGNER_NAME128
typedef?struct?DaSignerlnfo_struct
{
char?szSignerName[MAX_DA_SIGNER_NAME];
} DaSignerlnfo;
AlDaOpen
Describe
Create and return a data authentication handle.
Prototype
AL_DA_HANDLE?AlDaOpen(const?void*?pSig,
unsigned?int?uSigSize);
Parameter
pSig
[in] points to the pointer of a signed data
uSigSize
The signature size that [in] calculates with byte
Rreturn value
As successful then return data authentication handle, otherwise be INVALID_AL_DA_HAWDLE
Also can referring to
AlDaClose(),AlDaUpdate(),AlDaVerify(),
AlDaGetSignerlnfo()
AlDaClose
Describe
Release is used for the system resource of a data authentication handle.
Prototype
void?AlDaClose(AL_DA_HANDLE?hDa);
Parameter
hDa
The data authentication handle that [in] returned by AlDaOpen.
Rreturn value
Do not have
Also can referring to
AlDaOpen(),AlDaUpdate(),AlDaVerify(),
AlDaGetSignerlnfo()
AlDaVerify
Describe
The service data authentication
Prototype
intAlDaVerify(AL_DA_HANDLE?hDa,
int(*pfRead)(void*,void*,int),
int?iTotalSize,
void?*pPrivate);
Parameter
hDa
[in] data authentication handle
pfRead
The call back function of [in] call function, in order to reading of data (referring to).Makeing mistakes if any one, it can return-1, then returns 0 as no datat is readable again, otherwise returns the amount of data streams read, and turn back to the AlDaVerify function.Estimate that this function will repeatedly be called.
iTotalSize
The total data size that [in] need examine.
pPrivate
[in] is by the private data of the call function of pfRead call back function transmission.
Rreturn value
Obtaining authentication as application data then is 0, otherwise is-1.
Also can referring to
AlDaOpen(),AlDaClose(),AlDaGetSignerlnfo()
It below is a call back function that sample data reads.
Figure C200480016993D00541
AlDaGetSienerlnfo
Describe
Obtain data authentication signer information
Prototype
int?AlDaGetSignerMo(ALJDAJHANDLE?hDA,
DaSignerlnfo?*pDSI);
Parameter
hDa
[in] data authentication handle
pDSI
[out] points to a pointer that contains the structure of signer information
Rreturn value
Then return 0 as successfully obtaining signer information, otherwise be-1
Also can referring to
AlDaOpen(),AlDaClose(),AlDaVerify()
Synchronization object
Source synchronous and control reach by using a beacon.Comprise in the abstract function storehouse that a cover is in order to create, to open, to close and to limit the function of a beacon object.Below be an exemplary beacon API.
Function Describe
AL_SEM_HANDLE?AlSemCreate( char?const*?pszName) Create the beacon that a quilt names and return its handle
AL_SEM_HANDLE?AlSemOpen( char?const*?pszName) Return a handle to an existing beacon
void?AlSemClose( The beacon off handle; Reference count reduces one, and if
AL_SEM_HANDLE hHandle) Counting reaches zero beacon of being quoted and can be released.
Int AlSemGet (AL_SEM_HANDLE hHandle) Obtain a beacon
Int AlSemRelease (AL_SEM_HANDLE hHandle) Discharge a beacon
AlSemCreate
Describe
Create the beacon that quilt is named, setting inner counting is zero, and returns its handle.
Prototype
AL_SEM_HANDLE·AlSemCreate(char?const*?pszName);
Parameter
pszName
[in] beacon name character string
Rreturn value
Then return the beacon handle as success, otherwise be INVALro_AL_SEM_HANDLE
Also can referring to
AlSemOpen(),AlSemClose(),AlSeraGet(),AlSemRelease()
AlSemOpen
Describe
Return a handle to an existing beacon.
Prototype
AL_SEM_HANDLE?AlSemOpeh(char?const*?pszName);
Parameter
pszName
[in] beacon title
Rreturn value
Then return the beacon handle as success, otherwise be INVALID_AL_SEM_HANDLE
Also can referring to
AlSemCreate(),AlSemClose(),AlSemGet(),AlSemRelease()
AlSemClose
Describe
Close and release and specified beacon handle system associated resource.Beacon use/reference count also reduces, and reaches zero as counting, and the beacon object that is cited can be destroyed.
Prototype
void?AlSemClose(AL_SEM_HANDLE?hSem);
Parameter
hSem
[in] uses AlSemCreate () or AlSemOpen () and the beacon handle of acquisition
Rreturn value
Do not have
Also can referring to
AlSemCreate(),AlSemOpen(),AlSemGet(),AlSemRelease()
AlSemGet
Describe
Obtain the beacon of appointment.As inner counting is greater than zero when entering, and its numerical value can reduce one and be returned immediately.As inner counting is zero when entering, and calls to be prevented from, call AlSemRelease () up to other tasks/threads thus make it greater than zero.
Prototype
int?AlSemGet(AL_SEM_HANDLE?hSem);
Parameter
hSem
[in] beacon handle
Rreturn value
Successful then return 0, otherwise be-1
Also can referring to
AlSemCreate(),AlSemOpen(),AlSemClose(),AlSemRelease()
AlSemRelease
Describe
Discharge beacon, inner counting increases by 1
Prototype
int?AlSemRelease(AL_SEM_HANDLE?hSem);
Parameter
hSem
[in] beacon handle
Rreturn value
Successful then return 0, otherwise be-1
Also can referring to
AlSemCreate(),AlSemOpen(),AlSeraClose(),AlSemGet()
HTTP?API
Comprise a cover function in the abstract function storehouse, HTTP network I/O can be provided by the readjustment structure of using a call function to provide this cover function.Below be an exemplary HTTP API.
Function Describe
AL_HTTP_HANDLE?AlHttpOpen(void) Create and return a HTTPI/O handle
void?AlHttpClose( AL_HTTP_HANDLE?hHandle) Close the HTTPI/O handle
int?AlHttpExec( AL_HTTP_HANDLE?hHandle, char?const*?pszMethod,? char?const*?pszURL, AlHttpCallbacks*?pHttpCb, void*pPrivate) Operation GET or PUT operation
The HTTP handle that is returned by AlHttpOpen () function is defined as:
typedef?struct?AL_HTTP?HANDLE_struct
{
}*AL_HTTP_HANDLE;
#define?INVALID_AL_HTTP_HANDLE((ALJ3TTP_HANDLE)0)
HTTP readjustment structure AlHttpCallbacks is defined as:
typedef?struct?AlHttpCallbacks_struct
{
unsigned?int(*pWrite)(void* pPrivate,
void?const* pData,
unsigned?int?uSi?ze);
unsigned?int(*pRead)(void* pPrivate.
void* pData,
unsigned?int?uSize);
unsigned?int(*pGetSize)(void*?pPrivate);
unsigned?int(*pSetSize)(void* pPrivate,
unsigned?int?uSize);
}AlHttpCallbacks;
Various functions below given call back function provides in above HTTP readjustment structure:
PWrite is called by system's HTTP function library, the HTTP request msg of receiving with storage.
PRead is used to obtain request for data, so that be sent out as the part of a HTTP request.
PGet Size provides the HTTP function library of band applicant's content-data size, " Content-Length ".
PSet Size is called by the HTTP function library, so that the content of receiving to the application notification that calls when data put in place
The size of data.
AlHttpOpen
Describe
Create and return a handle to the HTTP function library.
Prototype
AL_HTTP_HANDLE?AlHttpOpen(void);
Parameter
Do not have
Rreturn value
As create a HTTP example failure, then return INVALID_AL_HTTP_HMTDLE
Also can referring to
AlHttpClose()
AlHttpClose
Describe
Close and discharge and a HTTP handle system associated resource.
Prototype
void?AlHttpClose(AL_HTTP_HANDLE?hHTTP);
Parameter
hHTTP
The HTTP function library handle that [in] returned by AlHttpOpen () function.
Rreturn value
Do not have
Also can referring to
AlHttpClose()
AlHttpExec
Describe
On the URL of appointment, carry out a HTTP method (" GET " or " POST "), and have selectable file header information.
Prototype
intAlHttpExec(AL_HTTP_HANDLE?hHTTP,
char?const* pszMethod,
char?const* pszURL,
AlHttpCal?lbacks*?pHttpCb,
void*pPrivate);
Parameter
hHTTP
The HTTP function library handle that [in] returned by AlHttpOpen () function
pszMethod
[in] HTTP method specification.HTTP " GET " or " POST "
pszURL
[in] makes the URL of HTTP request address
pHttpCb
[in] points to the pointer of the HTTP I/O function of a cover call function appointment.The HTTP function library is used the function of appointment in the AlHttpCallbacks structure, to carry out data I/O
pPrivate
[in/out] points to the pointer of call function data, and these call function data need be passed the call back function of appointment in the AlHttpCallbacks structure back
Rreturn value
Successful then return 0, otherwise be-1
Also can referring to
AlHttpOpen(),AlHttpClose()
Shared drive
The system memory address of depositing the shared object of function library obtains by using AlShmAddress () function.Should share information area and be assigned with/prepare, and be quoted by the different instances of function library in the device start time.
AlShmAddress
Describe
Return the shared drive address.
Prototype
void*?AlShmAddress(void);
Parameter
Do not have
Rreturn value
Then return the address of shared drive as success, otherwise be NULL
Time
It is the current system time of unit that AlTmGetCurrent () provides with the second to call function.
AlTmGetCurrent
Describe
Obtain current system time.
Prototype
unsigned?long?AlTmGetCurrent(void);
Parameter
Do not have
Rreturn value
As success, then returning has been the time of unit with the second since epoch (Coordinated Universal Time(UTC) 00:00:00, on January 1st, 1970).As make mistakes, then return ((unsigned long)-1L).
Facility information
AlDevGetInfo
Describe
Obtain the customizing messages of equipment.The recognition of devices character string returned of function is used by API thus.
Prototype
int?AlDevGetInfo(AlDeviceInfo*pDeviceInfo);
Parameter
pDeviceInfo
The pointer of [out] sensing equipment information
The AlDeviceInfo structure is defined as
#define?AL_MAX_DEVICE_ID32
typedef?struct?AlDevicelnfo?struct
{
charszDeviceID[AL_MAX_DEVICE_ID];
}AlDevicelnfo;
Identification string szDevicelD is that a unique terminal/device identification code-it is used for other equipment of a specific mobile communication equipment and all is identified separately.This information is used to mobile communication equipment to make up a malware signature download URL.It can not comprise any character (being the space) of occurring of not allowing in a URL.
Rreturn value
Successful then return 0, failure then is-1
Debugging
AlDbgQutput
Describe
To a debugging control platform output debugging character string.This function is a null function that is used for released version.
Prototype
int?AlDbgOutput(char?const*?pszOutput);
Parameter
pszOutput
[in] is to the character string of debugging control platform output
Rreturn value
Successful then return 0, failure then is-1

Claims (24)

1, a kind of method of scanning subsystem of effective renewal mobile communication equipment is characterized in that comprising:
Receive the first that once upgrades, this renewal is applicable to the scanning subsystem of mobile communication equipment through repacking, and the scanning subsystem of described mobile communication equipment can scan harmful content;
Except the first that receives described renewal, receive the other parts of described renewal; With
With described update contruction in described scanning subsystem;
Wherein, the first of described renewal and the other parts of renewal are asked one by one, and together form a single packet.
2, the method for claim 1 is characterized in that, also comprises the integrality of determining described renewal.
3, method as claimed in claim 2 is characterized in that, if the integrality of described renewal examined, then with described update contruction in described scanning subsystem.
4, method as claimed in claim 2 is characterized in that, the integrality of described renewal is determined by using a signature.
5, method as claimed in claim 4 is characterized in that, described signature is received with a part of described renewal.
6, method as claimed in claim 4 is characterized in that, described signature is compared by the signature that each part generated that utilizes described renewal with another.
7, method as claimed in claim 4 is characterized in that, described signature only last in the other parts of described renewal is received.
8, the method for claim 1 is characterized in that, the size of the part of described renewal is minimized.
9, the method for claim 1 is characterized in that, the part of described renewal is compressed.
10, the method for claim 1 is characterized in that, also comprises determining whether described first is empty.
11, method as claimed in claim 10 is characterized in that, is determining that whether described first is on the basis of sky, receives the other parts of described renewal conditionally.
12, the method for claim 1 is characterized in that, also comprises suspending using the scanning that described scanning subsystem carried out.
13, method as claimed in claim 12 is characterized in that, also is included in after described renewal is installed in the scanning subsystem, uses described scanning subsystem to restart scanning.
14, the method for claim 1 is characterized in that, described renewal is by described mobile communication equipment request.
15, method as claimed in claim 14 is characterized in that, described renewal is used a request data structure by described mobile communication equipment and asked.
16, method as claimed in claim 15, it is characterized in that, the described request data structure comprises some variablees, and these variablees are selected from the group that is made up of uniform resource locator (URL) variable, mobile communication identification code variable, application programming interfaces version variable, detecting logical variable, signature version variable and part number variable.
17, method as claimed in claim 15, it is characterized in that, the described request data structure comprises some variablees, and these variablees are selected from the group that comprises uniform resource locator (URL) variable, mobile communication identification code variable, application programming interfaces version variable, detecting logical variable, signature version variable and part number variable.
18, the method for claim 1 is characterized in that, each part of described renewal comprises a file header.
19, method as claimed in claim 18 is characterized in that, described file header has been indicated an identification code of the relevant portion of described renewal.
20, method as claimed in claim 18 is characterized in that, described file header has been indicated the length of described renewal relevant portion.
21, the method for claim 1 is characterized in that, described mobile communication equipment comprises cellular phone.
22, a kind of system that is used for effectively upgrading the scanning subsystem of mobile communication equipment is characterized in that comprising:
One back-end server; With
One mobile communication equipment, can carry out radio communication with described back-end server, to receive first part of a renewal reequiping the scanning subsystem that is used to upgrade described mobile communication equipment, the scanning subsystem of described mobile communication equipment can scan harmful content, and receive the other parts that except the first of described renewal, should upgrade, and with described update contruction in described scanning subsystem;
Wherein, the first of described renewal and the other parts of renewal are asked one by one, and together form a single packet.
Thereby 23, a kind of by using back-end server effectively to upgrade the method for a scanning subsystem of mobile communication equipment, it is characterized in that comprising:
Transmission can be reequiped and is used to upgrade the first of renewal of one of the scanning subsystem of mobile communication equipment, and the scanning subsystem of described mobile communication equipment can scan harmful content;
The other parts that transmission should be upgraded except the first of described renewal;
Wherein said renewal is installed in the described scanning subsystem of described mobile communication equipment;
Wherein, the first of described renewal and the other parts of renewal are asked one by one, and together form a single packet.
24, a kind of method that is used to upgrade the scanning subsystem of mobile communication equipment is characterized in that comprising:
Transmission requires the request of a renewal, and described renewal can be reequiped and is used to upgrade the scanning subsystem of mobile communication equipment, and the scanning subsystem of described mobile communication equipment can scan harmful content;
The response described request receives the first of described renewal;
Determine whether described first is empty;
First determines not to be empty as described, then receives the other parts of this renewal except the first of described renewal;
Examine a signature relevant with described renewal;
Suspend the scanning of using described scanning subsystem to carry out;
If described signature is examined, then with described update contruction in described scanning subsystem; With
After described renewal is installed in described scanning subsystem, use described scanning subsystem to restart scanning;
Wherein, the first of described renewal and the other parts of renewal are asked one by one, and together form a single packet.
CNB2004800169936A 2003-04-17 2004-04-05 Update system and method for updating a scanning subsystem in a mobile communication framework Expired - Fee Related CN100524211C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US46388503P 2003-04-17 2003-04-17
US60/463,885 2003-04-17
US10/639,007 2003-08-11

Publications (2)

Publication Number Publication Date
CN1981263A CN1981263A (en) 2007-06-13
CN100524211C true CN100524211C (en) 2009-08-05

Family

ID=38131597

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004800169936A Expired - Fee Related CN100524211C (en) 2003-04-17 2004-04-05 Update system and method for updating a scanning subsystem in a mobile communication framework

Country Status (1)

Country Link
CN (1) CN100524211C (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8353041B2 (en) * 2008-05-16 2013-01-08 Symantec Corporation Secure application streaming
CN103797682B (en) * 2011-04-28 2017-08-25 佐尔循环公司 The virus-type distribution of battery management parameter
CN105204940A (en) * 2014-05-28 2015-12-30 中兴通讯股份有限公司 Memory allocation method and device
CN110311889B (en) * 2019-05-17 2021-09-03 中国电力科学研究院有限公司 Method for verifying effectiveness of intelligent distribution transformer terminal APP

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
. Norton AntiVirus Corporate Edition User's Guide.
. Norton AntiVirus Corporate Edition User's Guide. *

Also Published As

Publication number Publication date
CN1981263A (en) 2007-06-13

Similar Documents

Publication Publication Date Title
CN101248427B (en) System and method for content/context sensitive scanning utilizing a mobile communication device
CN1939042B (en) Platform-independent scanning subsystem API for use in a mobile communication framework
CA2517485C (en) Api system, method and computer program product for accessing content/security analysis functionality in a mobile communication framework
JP4448849B2 (en) Update system and method for updating a scanning subsystem in a mobile communication framework
CN100524211C (en) Update system and method for updating a scanning subsystem in a mobile communication framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 1209 Orange Street, Wilmington, New Fort, 19801, Delaware, USA

Co-patentee after: NTT Mobile Communications

Patentee after: Mike Non Ltd.

Address before: California, USA

Co-patentee before: NTT Mobile Communications

Patentee before: Mcafee Inc.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090805