Embodiment
With the wooden horse is example, investigates user's usage behavior, and in general, the user can start rogue program in the compressed package by following several modes of operation:
1, opens compressed package, double-click the trojan horse program of camouflage, for example " the beastly door video .exe " in the network " beastly door .rar ".
2, compressed package is decompressed, double-click the trojan horse program behind the decompress(ion) then.
3, also have some other modes, but ratio is less, for example utilizes the leak of compressed software, the bug of file in the compressed package etc. is called in utilization.
Therefore, core technology thinking of the present invention is exactly in the process of opening compressed file or compressed file being decompressed, execution is carried out the action of security sweep to the file in the described compressed file, and and then can also further carry out to remove rogue program or stop the user to click and wait other actions.
Above-mentioned action can be carried out in same process, also can carry out in different processes, is preferably in same process and carries out, with the more convenient realization decompress(ion) scan function that has globality more.
Above-mentioned in the process of opening compressed file or compressed file being decompressed, specifically, can be open or decompress(ion) before, also can be after, or carry out security sweep simultaneously, also can be described in detail below by specific embodiment.
For above-mentioned the 1st kind of unfolding mode, can before opening the compressed package that contains wooden horse, the user carry out wooden horse scanning, warning notice user when wooden horse, and limited subscriber opens trojan horse program, prevents that wooden horse from being started by the user.
To above-mentioned the 2nd kind of unfolding mode, before decompress(ion), compressed package is carried out wooden horse scanning, when finding wooden horse is arranged, can skip over this trojan horse program, allow the user click less than trojan horse program.And the user is warned.
The alleged scanning of the present invention can be to utilize the condition code scanning commonly used of existing antivirus software and the mode of comparison that rogue program is judged.
The present invention is described further with reference to the accompanying drawings.
As shown in Figure 1, for according to the described security extraction system schematic of the embodiment of the invention.Security extraction provided by the invention system can comprise decompression module 102 and security sweep module, wherein, described decompression module 102 is used to open compressed file or compressed file is decompressed, and calls described security sweep module 104 in this process; Described security sweep module 104 is used for the file in the described compressed file is carried out security sweep.
In addition, according to embodiments of the invention, described security sweep module 104 can also further couple one and remove module 106, is used for carrying out the action of removing rogue program according to scanning result.
Described decompression module 102, can open compressed file or compressed file decompressed before call described security sweep module 104; Also can after opening compressed file or compressed file decompressed, call described security sweep module 104, but before described security sweep module been scanned, stop the user to carry out file in the described compressed file; Can also when opening compressed file or compressed file decompressed, call described security sweep module 104, limit decompress(ion) scan edge.
Described security sweep module 104 can also further couple a labeling module 108, is used for marking according to scanning result the safe class of each file.
Described security sweep module 104 can also further couple a reminding module 110, is used for ejecting dialog box according to scanning result, and whether the prompting user finds rogue program, and/or whether carries out the action of removing rogue program.
Described security sweep module 104 can also further couple one and stop module 112, is used for according to scanning result, when user's click contains the file of rogue program, ejects the dialog box that prevention is opened.
Described security sweep module 104 can also further couple an isolation module 114, is used for according to scanning result, if find rogue program, then skips over the decompression that this is contained the file of rogue program.
As mentioned above, described decompression module and described security sweep module can be arranged in same process to be carried out, and also can be arranged in different processes and carry out.
With above-mentioned corresponding, the present invention also provides a kind of method of compressed file being carried out security extraction, comprise: in the process of opening compressed file or compressed file being decompressed, call the security sweep module by decompression module the file in the described compressed file is carried out security sweep.
Wherein, the present invention can further include: carry out the step of removing rogue program according to described scanning result.
Wherein, described security sweep step can be open compressed file or compressed file decompressed before carry out.
Wherein, described security sweep step can be to carry out after opening compressed file or compressed file decompressed, but before been scanned, stops the user to carry out file in the described compressed file.
Wherein, described security sweep step can be carried out limit decompress(ion) scan edge synchronously with decompression.
Wherein, described security sweep step may further include: the safe class that marks each file according to scanning result.
Wherein, described security sweep step may further include: eject dialog box according to scanning result, whether the prompting user finds rogue program, and/or whether carries out the action of removing rogue program.
Wherein, described security sweep step may further include: according to scanning result, when user's click contains the file of rogue program, eject the dialog box that prevention is opened.
Wherein, described security sweep step may further include: according to scanning result, if find rogue program, then skip over the decompression that this is contained the file of rogue program.
Wherein, the described process of opening compressed file or compressed file being decompressed can be carried out in same process with described security sweep step, also can carry out in different processes.
As shown in Figure 2, the scanning process synoptic diagram when opening compressed package according to embodiments of the invention.After opening compressed package, the present invention promptly begins autoscan, and marks the safe class of each file.Can be labeled as wooden horse to trojan horse program, secure file is labeled as safety, and the risk file mark is a risk.
Be safe view after Figure 3 shows that been scanned; Fig. 4 is for finding to have the view of wooden horse after the been scanned; Fig. 5 is a view of finding risky file after the been scanned.Wherein we can see, mark has each safety of files matter in the compressed package in the security attribute hurdle.
According to embodiments of the invention, after opening the compressed package that contains wooden horse, been scanned can eject and find the wooden horse dialog box, find the risk FileDialog, contains wooden horse with the caution user, so that allow the user enhance your vigilance, deletes compressed package etc.As shown in Figure 6, be the prompted dialog frame synoptic diagram behind the discovery wooden horse; Fig. 7 is for finding the prompted dialog frame synoptic diagram of risk file.
According to embodiments of the invention, after opening the compressed package that contains wooden horse, been scanned if the user double-clicks when containing the program file of wooden horse, can eject the dialog box that a prevention is opened, and forbids that the user opens.The prevention dialog box synoptic diagram that ejects when as shown in Figure 8, attempting to double-click the file that contains trojan horse program in the compressed package for the user.
According to embodiments of the invention, after opening the compressed package that contains wooden horse, been scanned can be pointed out the user that the wooden horse of current compressed package is removed etc. and kill the wooden horse action.
As shown in Figure 9, for finding the view after wooden horse is also removed, can see that wherein the file that was labeled as " doubtful wooden horse " in the security attribute hurdle originally is labeled as " safety ".
According to embodiments of the invention, the security sweep that carries out after opening compressed package is to forbid that the user carries out the interior file of described compressed package imperfect tense.The dialog box synoptic diagram that ejects when as shown in figure 10, attempting to open program in the compressed package for user when the been scanned not.
According to embodiments of the invention, when the decompress(ion) compressed package, can carry out decompress(ion) wooden horse scanning before, as shown in figure 11, for before the decompress(ion) compressed file bag is carried out the view of security sweep in advance.After the been scanned, reresent the safe class of user's compressed package, whether danger etc. as shown in figure 12, is the finish safe condition synoptic diagram of back prompting of the preposition security sweep before the decompress(ion).This step also can be limit decompress(ion) scan edge, killing, and effect is the same.
When the decompress(ion) compressed package, if find wooden horse, then directly skip over the decompress(ion) of this wooden horse, allow the user put less than wooden horse, prevent overdue.As shown in figure 13, for finding wooden horse and ignoring the decompress(ion) synoptic diagram of this document.
Use the present invention, for computer system, killing rogue program that can be more convenient, for the user, can be informed in advance more intuitively and whether have rogue program in the compressed file bag, and can better stop the user to click rogue program, when powerful inadequately or user did not have the custom of killing virus at any time when the conventional antivirus software that conventional antivirus software or installation are not installed in computing machine, the present invention can play excellent more effect.