CN101329711A - Method and apparatus for detecting computer file - Google Patents
Method and apparatus for detecting computer file Download PDFInfo
- Publication number
- CN101329711A CN101329711A CN 200810135013 CN200810135013A CN101329711A CN 101329711 A CN101329711 A CN 101329711A CN 200810135013 CN200810135013 CN 200810135013 CN 200810135013 A CN200810135013 A CN 200810135013A CN 101329711 A CN101329711 A CN 101329711A
- Authority
- CN
- China
- Prior art keywords
- file
- detection
- suspicious
- attribute
- detect
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Abstract
The invention discloses a computer file detecting method and equipment thereof. The method comprises the following steps: the attribute of a file is detected, an anomaly detected item is picked up, and the attribute comprises structural attribute and file attribute; the anomaly detected item is endowed with weight, and the occurred quantity of the same anomaly detected item is calculated. The weight of a preset anomaly detected item and the occurred quantity of the same anomaly detected item are used for calculating the anomaly degree of the file. If the anomaly degree is larger than or equal to the anomaly standard preset, the file is an anomaly file, and if the anomaly degree is smaller than the anomaly standard preset, the file is not an anomaly file. The method and the equipment can actively defend static unknown virus, and strengthen the defense ability against the virus.
Description
Technical field
The present invention relates to computer communication field, relate in particular to method and device that a kind of computer documents detects.
Background technology
At present, initiatively defense technique of anknown computer virus in the industry cycle occurred, indicated that antivirus techniques is by being developed by the trend active direction.Initiatively anti-virus mainly is that the process of current operation is carried out behavioural analysis, the whether despiteful behavior of the program of monitoring operation, and then provide the suspicious probability of the program of operation.This detection mode makes the detection of unknown virus obtain discrimination preferably, but this mode can only detect running virus document, then can't detect for the Virus Sample and the static virus document of static state.Through facts have proved, the virus document that is in running status only account for the total virus file about 40% in addition still less because a virus document can preserve under several different file paths, but operation simultaneously has only a copy; The Unknown Computer Virus Detection of judging based on behavior, the static virus document that is discharged into the static sample of other a plurality of different folder location and is for example propagated into this locality by web browsing, USB device, Email by Virus Sample then can't detect.
In research and practice process to prior art, the inventor finds that there is following problem in prior art: the virus active defensive measure that prior art detects based on behavior can not detect and be in static virus document, therefore only use the virus active defense technique of prior art, the sordid phenomenon of part virus sweep can be occurred, the active defence of virus can not be realized fully.
Summary of the invention
The technical matters that the embodiment of the invention will solve provides method and the device that a kind of computer documents detects, and can realize the defence to static unknown virus.
Method that the computer documents that the embodiment of the invention provided detects and device embodiment are achieved through the following technical solutions:
The method that the embodiment of the invention provides a kind of computer documents to detect comprises step:
Detect the attribute of file, select suspicious detection, described attribute comprises structure attribute and file attribute;
Give weights for described suspicious detection, add up the appearance quantity of same suspicious detection;
The appearance quantity of the weights of the suspicious detection that use is preset and described same suspicious detection is calculated the suspicious degree of described file, if described suspicious degree is more than or equal to presetting suspicious standard, then described file is an apocrypha, if described suspicious degree presets suspicious standard less than described, then described file is non-apocrypha.
The device that the embodiment of the invention also provides a kind of computer documents to detect comprises:
Detecting unit is used to detect the attribute of file, selects suspicious detection, and described attribute comprises structure attribute and file attribute;
The assignment unit is used to described suspicious detection to give weights;
Statistic unit is used to add up the appearance quantity of same suspicious detection;
Computing unit is used to use the appearance quantity of the weights of described suspicious detection and described same suspicious detection to calculate the suspicious degree of described file;
Comparing unit, be used for the suspicious degree of described file with preset suspicious standard relatively, if described suspicious degree is greater than presetting suspicious standard, then described file is an apocrypha, if described suspicious degree is less than presetting suspicious standard, then described file is non-apocrypha.
Technical scheme in the technique scheme has following beneficial effect: because the embodiment of the invention detects the structure attribute and the file attribute of file, select suspicious detection, and give weights for described suspicious detection, add up the appearance quantity of same suspicious detection, calculate the suspicious degree of detected file then, determine according to the rule that presets whether this document is apocrypha, with respect to the active defence of existing techniques in realizing to static unknown virus; Improve the detection probability of unknown virus, strengthened defence unknown virus.
Description of drawings
Fig. 1 is the method flow diagram that the computer documents that provides of the embodiment of the invention detects;
Fig. 2 is the installation drawing that the computer documents that provides of the embodiment of the invention detects.
Embodiment
Method and device that the embodiment of the invention provides a kind of computer documents to detect are used to realize to static viral active defence.
The embodiment of the invention detects by structure attribute and the file attribute to the file of static state, select suspicious detection, give this detection weights according to the weight of each detection, utilize the appearance quantity of these weights and same suspicious detection to calculate the suspicious degree of detected file, according to the suspicious degree that calculates determine this document whether infected virus.The embodiment of the invention realizes the active defence to static virus by the detection to static file.
The computer documents pick-up unit of selecting to utilize the embodiment of the invention to provide as the user of operating terminal begin in the sense terminals file whether infected virus, begin to enter in the computer documents detection method step that the embodiment of the invention provides.
The method flow diagram that the computer documents that seeing also Fig. 1 and be the embodiment of the invention provides detects.
When beginning to detect, at first open file and read file, execution in step 101 then.
The validity of step 101, detection file;
For accelerating the detection speed of file, after opening file, at first detect the validity of file, prevent that spended time detects on invalid file.
The embodiment of the invention is an example to detect the word file.Whether the validity that detects file mainly equals a preset value by e_magic item in reflection DOS head (IMAGE_DOS_HEADER) structure in the detection file structure attribute, IMAGE_DOS_SIGNATURE for example, if unequal then be invalid executable file (PE file); Find reflection NT head (IMAGE_NT_HEADER) position if equate the address of then pointing to according to e_lfanew item in the reflection DOS header structure in the structure attribute, whether PE file identification (Signature) item of relatively videoing in the NT header structure equals " PE00 ", if equate then to think effective PE file; Otherwise it is not the file of effective PE structure that display message is represented this document, and then this document is invalid; It is effective PE structured file that this step detects file.If detecting the file of opening is effective file, execution in step 102 is an inactive file if detect the file of opening, directly detection of end.
The structure attribute of step 102, detection file;
The structure attribute that detects file specifically comprises: every in the reflection DOS head in the detection architecture attribute; It is every to detect image file head (IMAGE_FILE_HEADER); It is every to detect optional reflection head (IMAGE_OPTIONAL_HEADER); Detection segment reflection head (IMAGE_SECTION_HEADER) is every.
Every specific as follows in the reflection DOS head in the detection architecture attribute:
E_lfanew item in the reflection DOS head in the structure attribute
If the numerical value of this item exceeds file size to be detected or less than 0x10, then thinks suspicious.
It is every specific as follows to detect the image file head:
Number Of Sections item in the image file head;
This numerical value mostly is 4 under the normal condition, if the numerical value of this item is less than 3 then think apocrypha.
Detect in the optional reflection head every specific as follows:
Base Of Code item in the section reflection head;
This numerical value of apocrypha is not equal to arbitrary section start address, that is: not in arbitrary section.Or start address is unusual, and under Win32, start address mostly is under the normal condition: 0x1000,0x10000000,0x00400000.If not that these numerical value are then thought is suspicious.
If the start address that this numerical value equals a certain section, but the section name (Name item among the IMAGE_SECTION_HEADER) of this section is then thought suspicious if not common " .text ", " .rsrc ".
BaseOfData item in the section reflection head;
This numerical value of apocrypha is not equal to arbitrary section start address, that is: not in arbitrary section, or this numerical value is then thought suspicious less than 0x400.
If the start address that this numerical value equals a certain section, but the section name (Name item among the IMAGE_SECTION_HEADER) of this section is also thought suspicious if not common " .data ".
ImageBase item in the section reflection head;
If this numerical value is then thought suspicious greater than 0x20000000.
FileAlignment item in the section reflection head;
If this numerical value is not equal to 0x200 and then thinks suspicious.
CheckSum item in the section reflection head;
Virus and some illegal programs when revising the PE file layout, often put 0 with this, and the file of normal compilation device compiling has correct numerical value.If this is 0, then think suspicious.
VirtualAddress and the Size item of Import table in the section reflection head;
As IMAGE_OPTIONAL_HEADER32->DataDirectory[1] numerical value of .Size is greater than 0 and then think suspicious less than 0x28;
Resource item in the section reflection head;
Also have the structural unusual of alternative document in addition, for example:
Include the PE file in the resource section again:
The resource section of ordinary file is generally deposited contents such as the relevant bitmap of the icon, file of file, version information.If finding to have occurred again in resource section is the PE file of sign with MZ, then may be virus to a great extent.Virus can discharge the PE file in this section when operation.
Virtual Address and the Size item of Relocation table in the section reflection head
As the value of Virtual Address in: the I section reflection head greater than 0 and then think suspicious less than 0x48.
As: the numerical value of Size is greater than file size to be measured or then think suspicious less than 0x0c;
The VirtualAddress of TLS table and Size item among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[9] .VirtualAddress is greater than 0 and less than 0x48, then thinks suspiciously.
The VirtualAddress and the Size item of BoundImport table among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[11] numerical value of .Size is greater than file size to be measured or then think suspicious less than 0x20;
The VirtualAddress and the Size item of IAT table among the IMAGE_OPTIONAL_HEADER32
As IMAGE_OPTIONAL_HEADER32->DataDirectory[12] numerical value of .Size then thinks suspicious greater than file size to be measured;
It is every specific as follows to detect IMAGE_SECTION_HEADER:
Need to prove: when detection IMAGE_SECTION_HEADER is every, at first to be positioned to segment table (SECTION TABLE), carry out the every detection of IMAGE_SECTION_HEADER behind the location, after the every detection of IMAGE_SECTION_HEADER finishes, locate next IMAGE_SECTION_HEADER item, if no next IMAGE_SECTION_HEADER item then finishes the every detection of IMAGE_SECTION_HEADER; If navigate to next IMAGE_SECTION_HEADE item, it is every to continue to detect next IMAGE_SECTION_HEADER.
Name item among the IMAGE_SECTION_HEADER:
This is one 8 bit ASCII, how to start with ". "; Common section name: " .text ", " .data. ", " .code ", " .rsrc ", " .reloc "..text deposit instruction code .data deposits initialized data, and .idata comprises function and the data message of other external DLL, i.e. input is shown, .rsrc whole resource datas of storage module .reloc deposits the base address and resets bit table, and .edata deposits the output table of file.Apocrypha and virus document often use some random names to define these common section names.As: " the PS vegetarian salts down " " Bohai Sea @ " or directly be null character (NUL), then think suspicious.
Pointer To RawData item in the section reflection head;
This piece has certain skew in disk file, if this by zero setting, then thinks suspicious.
Size Of RawData item among the IMAGE_SECTION_HEADER;
This piece shared size in disk file, certain this value of section is zero in the if block table, and this document textural anomaly is described, thinks suspicious.
Characteristics item among the IMAGE_SECTION_HEADER;
That is: the section attribute.This is to judge whether suspicious important symbol.This field is one group of sign of pointing out the piece attribute, and a plurality of sign summations are the Characteristics value, and following is some common signs:
| Field value | Purposes |
| IMAGE_SCN_CNT_CODE | Comprise run time version |
| 00000020h | |
| IMAGE_SCN_CNT_INITIALIZED_DATE 00000040h | Comprise initialized data |
| IMAGE_SCN_CNT_UNINITIALIZED_DATE 00000080h | The data that comprise no initializtion |
| IMAGE_SCN_MEM_DISCARDABLE 02000000h | Can be dropped |
| IMAGE_SCN_MEM_SHARED 10000000h | Share piece |
| IMAGE_SCN_MEM_EXECUTE 20000000h | Can carry out normal and 00000020 use simultaneously |
| IMAGE_SCN_MEM_READ 40000000h | Readable |
| IMAGE_SCN_MEM_WRITE 80000000h | Can write |
As: Characteristics value: C0000040h=40000000h|80000000h|00000040h represents that this piece is readable, can write, and contains initialization data.
Common have the section name that can write sign: .data, DATA, BSS .tls .idata .adata.Can write sign if certain section has, and don't be common these sections name, just more suspicious.
For example: certain section Characteristics value is 80000000h, and expression can be write, but its Name is not the above section name that can write sign that has, and then thinks suspicious.
After having detected the structure attribute of file, execution in step 103.
The file attribute of step 103, detection file;
The file attribute that detects file specifically comprises: detect file resource, detect the file General Properties, detect file version information.
Detect the every specific as follows of file attribute:
The file General Properties: for apocrypha, the file General Properties can be hidden usually.For convenience, embodiment of the invention file General Properties is meant the extension name of file, the size of file, the memory location of file, the information such as creation-time of file.
Filename: for apocrypha, filename may be changed, virus often disguise oneself as iexporer, svchost etc. and have () []~etc. special symbol.
The resource information of file:, generally do not have resource information for apocrypha or virus document.
The copyright information of file:, generally do not have normal copyright information for apocrypha or virus document.
The inlet feature of each section:, contain jump instruction at the inlet of section for apocrypha or virus document.
Need to prove that the file attribute that detects the structure attribute of file and file is order in no particular order, and specifically detect structure attribute every of file and detect every also order in no particular order of the file attribute of file.
Step 104, select suspicious detection;
According to the rule described in step 102 and the step 103, select suspicious detection.
Step 105, give weights for suspicious detection;
Give detection corresponding weights according to the weight of detection in total attribute and file attribute.
Illustrate each detection weights as following table
| Detection | Weights |
| E_lfanew item among the IMAGE_DOS_HEADER | 15 |
| NumberOfSections item among the IMAGE_FILE_HEADER | 2 |
| BaseOfCode item among the IMAGE_OPTIONAL_HEADER32 | 5 |
| BaseOfData item among the IMAGE_OPTIONAL_HEADER32 | 5 |
| ImageBase item among the IMAGE_OPTIONAL_HEADER32 | 3 |
| FileAlignment item among the IMAGE_OPTIONAL_HEADER32 | 5 |
| CheckSum item among the IMAGE_OPTIONAL_HEADER32 | 5 |
| IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .VirtualAddress item | 5 |
| IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .Size item | 5 |
| IMAGE_OPTIONAL_HEADER32->DataDirectory[5] the .VirtualAddress item | 5 |
| IMAGE_OPTIONAL_HEADER32->DataDirectory[5] the .Size item | 5 |
| Name item among the IMAGE_SECTION_HEADER | 7 |
Step 106, same suspicious the appearance quantity of statistics;
SECTION TABLE may have a plurality of hereof, each detection among each SECTIONTABLE of cycle detection.Each detection all exists at each SECTION TABLE, and the suspicious degree of a plurality of same detections is added up.Therefore carry out this step, add up same suspicious weights.
The suspicious degree of step 107, calculation document;
Computing formula is as follows:
Suspicious degree=the detection 1 of file suspicious quantity * weights 1+ detection 2 occurs and the suspicious quantity * weights 3+... of suspicious quantity * weights 2+ detection 3 appearance occurs.
The corresponding weights of each detection, after calculating obtains the suspicious degree of file, execution in step 108.
As: each detection below in certain file meets suspicious condition.
E_lfanew item among the IMAGE_DOS_HEADER, 1 of quantity
NumberOfSections item among the IMAGE_FILE_HEADER, 1 of quantity
BaseOfCode item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
The BaseOfData item of IMAGE_OPTIONAL_HEADER32 kind, 1 of quantity
FileAlignment item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
CheckSum item among the IMAGE_OPTIONAL_HEADER32,1 of quantity
IMAGE_OPTIONAL_HEADER32->DataDirectory[1] the .Size item, 1 of quantity
Name item among the IMAGE_SECTION_HEADER, 2 of quantity
Suspicious degree=the 15+2+5+5+5+5+5+2*7=56 of this document then
Step 108, with the suspicious degree of file with preset suspicious standard relatively;
Generally presetting suspicious standard is 20, when the suspicious degree of calculation document surpasses or equals 20, and execution in step 109; The suspicious degree that aforementioned calculation obtains file is 56, and promptly execution in step 109; If the suspicious degree that calculates above-mentioned file thinks that then this document is normal file, not infected virus less than 20.
Step 109, demonstration apocrypha, and show that this document is an apocrypha;
For making things convenient for the terminal user to learn the file of the infected virus of possibility, with the defence of taking the initiative, the embodiment of the invention greater than the suspicious standard that presets, shows this apocrypha at the suspicious degree of the file that calculates, and corresponding demonstration this document is an apocrypha.
So far, detection for a file finishes, the computer documents pick-up unit that the embodiment of the invention provides begins the detection of next file, if detected the All Files that the terminal user chooses, warning terminal user detects and finishes, and shows that all detected suspicious degree reach the file that presets suspicious degree.In addition, need to prove, the detection unusual condition of describing file structure attribute and file attribute in the method step 102,103 that embodiment of the invention computer documents detects can upgrade according to the continual renovation of ordinary file or virus document, and the embodiment of the invention does not limit this; In addition, the structure attribute of file and all of file attribute are every and the detection unusual condition of all every correspondences, those skilled in the art can judge the unusual condition of all detections as the case may be, do not give unnecessary details at this.
The embodiment of the invention greater than the suspicious standard that presets, shows this apocrypha at the suspicious degree of the file that calculates, and corresponding demonstration this document is an apocrypha.Make things convenient for the terminal user learn may infected virus file, with the defence of taking the initiative.
The following system embodiment that the application method that the computer documents that the embodiment of the invention provides detects is provided.
The installation drawing that the computer documents that seeing also Fig. 2 and be the embodiment of the invention provides detects.
As shown in the figure, the device that detects of the computer documents that provides of the embodiment of the invention comprises:
Detecting unit 110 is used to detect the attribute of file, selects suspicious detection, and described attribute comprises structure attribute and file attribute;
Comparing unit 150, be used for the suspicious degree of described file with preset suspicious standard relatively, if described suspicious degree is greater than presetting suspicious standard, then described file is an apocrypha, if described suspicious degree is less than presetting suspicious standard, then described file is non-apocrypha.
After detecting suspicious file, the computer documents pick-up unit that the embodiment of the invention provides also comprises:
In addition, for reducing the detection time of detecting inactive file, accelerate detection speed, the device that described computer documents detects also comprises:
Whether file detecting unit 170, it is effective to be used to detect the file of opening.
When detecting the structure attribute of file, if there are a plurality of SECTION items in the file structure attribute, the described computer documents pick-up unit that the embodiment of the invention provides also comprises:
Computer documents detection method and device that the embodiment of the invention provides can be used as independent testing tool, also can be used in combination with present antivirus software.Also can look in the poison in data stream, grasp the message of file transfer and do reduction, the computer documents detection method of using the embodiment of the invention to provide to the file that restores detects then.
Example: most of viruses are downloaded to this locality and move then in HTML (Hypertext Markup Language) (HTTP, Hypertext, Transfer Protocol) mode on the internet at present; After can flowing packet capturing and do reduction http data, obtain the original that virus transmits, the computer documents detection method of using the embodiment of the invention to provide afterwards detects whether be apocrypha.
More than the method and the device of a kind of virus defense provided by the present invention is described in detail, for one of ordinary skill in the art, thought according to the embodiment of the invention, part in specific embodiments and applications all can change, in sum, this description should not be construed as limitation of the present invention.
Claims (12)
1, a kind of method of computer documents detection is characterized in that, comprises step:
Detect the attribute of file, select suspicious detection, described attribute comprises structure attribute and file attribute;
Give weights for described suspicious detection, add up the appearance quantity of same suspicious detection;
The appearance quantity of the weights of the suspicious detection that use is preset and described same suspicious detection is calculated the suspicious degree of described file, if described suspicious degree is more than or equal to presetting suspicious standard, then described file is an apocrypha, if described suspicious degree presets suspicious standard less than described, then described file is non-apocrypha.
2, the method that detects of computer documents according to claim 1 is characterized in that, describedly gives weights specifically for described suspicious detection: the weight proportion of the described detection of foundation is given corresponding weights.
3, the method that detects of computer documents according to claim 2 is characterized in that, the suspicious degree that the appearance quantity of described weights of described use and described same suspicious detection calculates described file is specially:
The appearance quantity of same suspicious detection multiply by the weights of described suspicious detection, then with the results added of each detection, obtains the suspicious degree of described file.
4, the method for computer documents detection according to claim 3 is characterized in that, if described file is an apocrypha, then shows described apocrypha, and shows that described file is an apocrypha.
5, the method that detects of computer documents according to claim 4 is characterized in that, open described file after, whether detect described file effective;
If described file is invalid, then detection of end.
6, the method that detects according to each described computer documents of claim 1 to 5 is characterized in that the structure attribute of the described file of described detection comprises:
It is every to detect DOS in reflection; It is every to detect the image file head; It is every to detect optional reflection; Detection segment reflection is every.
7, the method for computer documents detection according to claim 6 is characterized in that, described detection segment reflection every step that comprises:
The location segment table;
It is every to detect described segment table stage casing reflection;
After the reflection every detection of a described segment table stage casing finishes, locate next segment table, if a described section is last section, the then detection of ending segment matrix section; If described segment table is not last segment table,, detects described section and video every then to current segment table.
8, the method for computer documents detection according to claim 7 is characterized in that the file attribute of the described file of described detection comprises:
Detect file resource information, detect the file General Properties, detect file version information.
9, a kind of device of computer documents detection is characterized in that, comprising:
Detecting unit is used to detect the attribute of file, selects suspicious detection, and described attribute comprises structure attribute and file attribute;
The assignment unit is used to described suspicious detection to give weights;
Statistic unit is used to add up the appearance quantity of same suspicious detection;
Computing unit is used to use the appearance quantity of the weights of described suspicious detection and described same suspicious detection to calculate the suspicious degree of described file;
Comparing unit, be used for the suspicious degree of described file with preset suspicious standard relatively, if described suspicious degree is greater than presetting suspicious standard, then described file is an apocrypha, if described suspicious degree is less than presetting suspicious standard, then described file is non-apocrypha.
10, the device of computer documents detection according to claim 9 is characterized in that described computer documents pick-up unit also comprises:
Display unit is used for showing described apocrypha when described file is apocrypha, and shows that described file is an apocrypha.
11, the device of computer documents detection according to claim 10 is characterized in that, the device that described computer documents detects also comprises:
Whether the file detecting unit, it is effective to be used to detect the file of opening.
12, the device that detects according to each described computer documents of claim 9 to 11 is characterized in that described computer documents pick-up unit also comprises:
Positioning unit is used for locating the segment table of described file structure attribute when detecting described file structure attribute.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810135013 CN101329711B (en) | 2008-07-24 | 2008-07-24 | Method and apparatus for detecting computer file |
| PCT/CN2009/070554 WO2010009625A1 (en) | 2008-07-24 | 2009-02-26 | Computer file detecting method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810135013 CN101329711B (en) | 2008-07-24 | 2008-07-24 | Method and apparatus for detecting computer file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101329711A true CN101329711A (en) | 2008-12-24 |
| CN101329711B CN101329711B (en) | 2011-04-06 |
Family
ID=40205516
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810135013 Active CN101329711B (en) | 2008-07-24 | 2008-07-24 | Method and apparatus for detecting computer file |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101329711B (en) |
| WO (1) | WO2010009625A1 (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010009625A1 (en) * | 2008-07-24 | 2010-01-28 | 成都市华为赛门铁克科技有限公司 | Computer file detecting method and device |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
| CN102075583A (en) * | 2011-01-30 | 2011-05-25 | 杭州华三通信技术有限公司 | HTTP request message processing method and equipment |
| CN102592103A (en) * | 2011-01-17 | 2012-07-18 | 中国电信股份有限公司 | Secure file processing method, equipment and system |
| CN102624547A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device and system for managing IM (Instant Messaging) online behavior |
| CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
| CN101795267B (en) * | 2009-12-30 | 2012-12-19 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN103136473A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device used for detecting computer viruses |
| CN103136474A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting files |
| CN103353930A (en) * | 2012-12-21 | 2013-10-16 | 北京安天电子设备有限公司 | Method and device for preventing infectious virus infection |
| CN104732142A (en) * | 2011-06-27 | 2015-06-24 | 北京奇虎科技有限公司 | Method and device for unlocking file |
| CN104978381A (en) * | 2014-10-28 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for malicious sample detection on basis of disassembling |
| CN107330329A (en) * | 2017-06-30 | 2017-11-07 | 北京金山安全管理系统技术有限公司 | The authentication method and device of application file |
| CN108985063A (en) * | 2018-07-13 | 2018-12-11 | 南方电网科学研究院有限责任公司 | A kind of malicious code obscures detection method, system, computer equipment, medium |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
| CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
| CN112380538A (en) * | 2020-11-10 | 2021-02-19 | 广东电力信息科技有限公司 | Internet information risk prompting method and monitoring system |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0513375D0 (en) | 2005-06-30 | 2005-08-03 | Retento Ltd | Computer security |
| US9413721B2 (en) * | 2011-02-15 | 2016-08-09 | Webroot Inc. | Methods and apparatus for dealing with malware |
| CN102647421B (en) * | 2012-04-09 | 2016-06-29 | 北京百度网讯科技有限公司 | The web back door detection method of Behavior-based control feature and device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1329828C (en) * | 2003-08-06 | 2007-08-01 | 华为技术有限公司 | Method and device for preventing computer virus |
| US20070056035A1 (en) * | 2005-08-16 | 2007-03-08 | Drew Copley | Methods and systems for detection of forged computer files |
| CN101329711B (en) * | 2008-07-24 | 2011-04-06 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting computer file |
-
2008
- 2008-07-24 CN CN 200810135013 patent/CN101329711B/en active Active
-
2009
- 2009-02-26 WO PCT/CN2009/070554 patent/WO2010009625A1/en active Application Filing
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010009625A1 (en) * | 2008-07-24 | 2010-01-28 | 成都市华为赛门铁克科技有限公司 | Computer file detecting method and device |
| CN101795267B (en) * | 2009-12-30 | 2012-12-19 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| CN102034043B (en) * | 2010-12-13 | 2012-12-05 | 四川大学 | Malicious software detection method based on file static structure attributes |
| CN102034043A (en) * | 2010-12-13 | 2011-04-27 | 四川大学 | Novel file-static-structure-attribute-based malware detection method |
| CN101984450A (en) * | 2010-12-15 | 2011-03-09 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN101984450B (en) * | 2010-12-15 | 2012-10-24 | 北京安天电子设备有限公司 | Malicious code detection method and system |
| CN102024113A (en) * | 2010-12-22 | 2011-04-20 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
| CN102024113B (en) * | 2010-12-22 | 2012-08-01 | 北京安天电子设备有限公司 | Method and system for quickly detecting malicious code |
| CN102592103B (en) * | 2011-01-17 | 2015-04-08 | 中国电信股份有限公司 | Secure file processing method, equipment and system |
| CN102592103A (en) * | 2011-01-17 | 2012-07-18 | 中国电信股份有限公司 | Secure file processing method, equipment and system |
| CN102075583A (en) * | 2011-01-30 | 2011-05-25 | 杭州华三通信技术有限公司 | HTTP request message processing method and equipment |
| CN104732142B (en) * | 2011-06-27 | 2017-12-12 | 北京奇虎科技有限公司 | A kind of method and device of file unblock |
| CN104732142A (en) * | 2011-06-27 | 2015-06-24 | 北京奇虎科技有限公司 | Method and device for unlocking file |
| CN103136473A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device used for detecting computer viruses |
| CN103136474A (en) * | 2011-11-29 | 2013-06-05 | 姚纪卫 | Method and device for detecting files |
| CN103136473B (en) * | 2011-11-29 | 2017-07-04 | 姚纪卫 | The method and apparatus for detecting computer virus |
| CN103136474B (en) * | 2011-11-29 | 2017-07-04 | 姚纪卫 | The method and apparatus for detecting file |
| CN102624547A (en) * | 2011-12-31 | 2012-08-01 | 成都市华为赛门铁克科技有限公司 | Method, device and system for managing IM (Instant Messaging) online behavior |
| CN102768717B (en) * | 2012-06-29 | 2015-01-21 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
| CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
| CN103353930B (en) * | 2012-12-21 | 2016-09-07 | 北京安天电子设备有限公司 | A kind of method and apparatus of preventing infectious virus infection |
| CN103353930A (en) * | 2012-12-21 | 2013-10-16 | 北京安天电子设备有限公司 | Method and device for preventing infectious virus infection |
| CN104978381A (en) * | 2014-10-28 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for malicious sample detection on basis of disassembling |
| CN107330329A (en) * | 2017-06-30 | 2017-11-07 | 北京金山安全管理系统技术有限公司 | The authentication method and device of application file |
| CN108985063A (en) * | 2018-07-13 | 2018-12-11 | 南方电网科学研究院有限责任公司 | A kind of malicious code obscures detection method, system, computer equipment, medium |
| CN109492399A (en) * | 2019-01-17 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Risk file test method, device and computer equipment |
| CN109492399B (en) * | 2019-01-17 | 2022-02-01 | 腾讯科技(深圳)有限公司 | Risk file detection method and device and computer equipment |
| CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
| CN112380538A (en) * | 2020-11-10 | 2021-02-19 | 广东电力信息科技有限公司 | Internet information risk prompting method and monitoring system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101329711B (en) | 2011-04-06 |
| WO2010009625A1 (en) | 2010-01-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101329711B (en) | Method and apparatus for detecting computer file | |
| EP2513836B1 (en) | Obfuscated malware detection | |
| Riley et al. | Multi-aspect profiling of kernel rootkit behavior | |
| US8307435B1 (en) | Software object corruption detection | |
| US9135443B2 (en) | Identifying malicious threads | |
| US10229268B2 (en) | System and method for emulation-based detection of malicious code with unmet operating system or architecture dependencies | |
| US20150242626A1 (en) | Method of generating in-kernel hook point candidates to detect rootkits and the system thereof | |
| US20120317647A1 (en) | Automated Exploit Generation | |
| US20050187740A1 (en) | System and method for proactive computer virus protection | |
| CN102664875A (en) | Malicious code type detection method based on cloud mode | |
| Xu et al. | Goldeneye: Efficiently and effectively unveiling malware’s targeted environment | |
| US20120311709A1 (en) | Automatic management system for group and mutant information of malicious codes | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| US20160196427A1 (en) | System and Method for Detecting Branch Oriented Programming Anomalies | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| EP3340097A1 (en) | Analysis device, analysis method, and analysis program | |
| US20210165882A1 (en) | Early filtering of clean file using dynamic analysis | |
| Li et al. | Characterizing erasable accounts in ethereum | |
| CN106372508B (en) | Malicious document processing method and device | |
| US20220335135A1 (en) | Vulnerability analysis and reporting for embedded systems | |
| US8065736B2 (en) | Using asynchronous changes to memory to detect malware | |
| Wu et al. | Towards SQL injection attacks detection mechanism using parse tree | |
| Zwanger et al. | Kernel mode API spectroscopy for incident response and digital forensics | |
| Zhu et al. | Dytaint: The implementation of a novel lightweight 3-state dynamic taint analysis framework for x86 binary programs | |
| Touili | MADLIRA-a tool for Android malware detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP03 | Change of name, title or address |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: Qingshui River District, Chengdu high tech Zone, Western China, Sichuan Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |