CN102346827A - Method and device for handling computer viruses - Google Patents
Method and device for handling computer viruses Download PDFInfo
- Publication number
- CN102346827A CN102346827A CN2011102777463A CN201110277746A CN102346827A CN 102346827 A CN102346827 A CN 102346827A CN 2011102777463 A CN2011102777463 A CN 2011102777463A CN 201110277746 A CN201110277746 A CN 201110277746A CN 102346827 A CN102346827 A CN 102346827A
- Authority
- CN
- China
- Prior art keywords
- file
- scanned
- scan mode
- virus scan
- scanning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 175
- 238000000034 method Methods 0.000 title claims abstract description 63
- 230000008569 process Effects 0.000 claims description 36
- 230000002155 anti-virotic effect Effects 0.000 claims description 17
- 230000008878 coupling Effects 0.000 claims description 17
- 238000010168 coupling process Methods 0.000 claims description 17
- 238000005859 coupling reaction Methods 0.000 claims description 17
- 230000004048 modification Effects 0.000 claims description 17
- 238000012986 modification Methods 0.000 claims description 17
- 230000009977 dual effect Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 5
- 230000003612 virological effect Effects 0.000 description 5
- 239000012467 final product Substances 0.000 description 2
- 230000013011 mating Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012797 qualification Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention discloses a method and device for handling computer viruses. A plurality of virus scanning modes are preset; and system resources occupied by the plurality of virus scanning modes during scanning files are different. The method comprises the following steps of: acquiring files to be scanned; and calling corresponding virus scanning modes to scan the files to be scanned according to the sequence from small to large that the virus scanning modes occupy the system resources. The embodiment of the invention is applied to scanning the viruses and the corresponding virus scanning modes are called according to the sequence from small to large that the virus scanning modes occupy the system resources, so that the viruses are scanned by using the virus scanning mode occupying fewer the system resources, such as a memory scanning mode, further the amount of the files required to be scanned by the virus scanning modes occupying more system resources is reduced, the virus scanning speed of the system is improved and the system resources are saved.
Description
Technical field
The application relates to field of computer technology, particularly relates to a kind of method and device of process computer virus.
Background technology
Computer virus is the data of establishment or the destruction computer function that in computer program, inserts, its can influence computing machine normal use and can self-replacation, the form with a set of computer instructions or program code appears usually.And antivirus engine be exactly one the cover judge whether the specific program behavior is the Virus technology mechanism of (comprising suspicious program).Antivirus engine is the major part of antivirus software, is the program that detects and find virus, and virus base is the characteristic set of the virus that has been found that.In the virus killing process, remove to contrast all programs or file in the machine with the characteristic in the virus base, for program that meets these characteristics or file, be judged to be virus.
The inventor finds in the research process to prior art; The process that adopts antivirus engine to kill virus each time is independent mutually; Promptly once adopt antivirus engine file is scanned which kind of result of back output before no matter; Still adopt antivirus engine that All Files is scanned, the virus document type of finding in twice scanning process in front and back maybe be identical next time.Hence one can see that, though antivirus engine has the powerful characteristics of virus killing, when each employing antivirus engine scans All Files, all will take a large amount of system resource.
Summary of the invention
The application embodiment provides the method and the device of a kind of process computer virus, kills virus each time and all All Files is scanned to solve existing antivirus engine, takies the problem of a large amount of system resources.
In order to solve the problems of the technologies described above, the application embodiment discloses following technical scheme:
The method of a kind of process computer virus is provided with some virus scan modes in advance, and said some virus scan modes shared system resource when carrying out file scan is different, and said method comprises:
Obtain file to be scanned;
According to said some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode said file to be scanned is scanned.
Said some virus scan modes comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Saidly call corresponding virus scan mode and said file to be scanned is scanned comprise:
Call the said first virus scan mode said file to be scanned is scanned, obtain the definite file in the said file to be scanned;
Calling the said second virus scan mode only scans other file except that said definite file in the said file to be scanned.
Said some virus scan modes comprise following dual mode at least according to occupying system resources series arrangement from small to large:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute information of confirming as malice file or non-malice file, and said file attribute information comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Carry out the engine scan mode of virus scan through antivirus engine.
Said according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and file to be scanned is scanned comprise:
Call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file;
Call said name single scan mode and only confirm that to removing said first in the said file to be scanned other file of file scans, obtain to comprise second second scanning result of confirming file;
Call said engine scan mode and only confirm that to removing said second in said other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Adopting the internal memory scan mode that said file to be scanned is scanned comprises:
Obtain the file attribute information of file to be scanned;
The file attribute information of preserving in said file attribute information and the buffer memory is mated;
When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Blacklist through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said blacklist is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
White list through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said white list is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
According to the scanning result of file to be scanned, confirm that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
A kind of device of process computer virus, said device comprises:
The unit is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit is used to obtain file to be scanned;
Scanning element is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
The said some virus scan modes that are provided with in the unit that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element comprises:
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement, comprise following dual mode at least:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Through spending the engine scan mode that engine carries out virus scan less.
Said scanning element comprises:
First scanning element is used to call said internal memory scan mode said file to be scanned is scanned, and obtains to comprise first first scanning result of confirming file;
Second scanning element is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file;
The 3rd scanning element is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file.
First scanning element comprises:
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Said second scanning element comprises at least one following unit:
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
Storage unit is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Can find out by the foregoing description; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Description of drawings
In order to be illustrated more clearly in the application embodiment or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously; For those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the first embodiment process flow diagram of the method for the application's process computer virus;
Fig. 2 is the second embodiment process flow diagram of the method for the application's process computer virus;
Fig. 3 is the 3rd an embodiment process flow diagram of the method for the application's process computer virus;
Fig. 4 is the first embodiment block diagram of the device of the application's process computer virus;
Fig. 5 is the second embodiment block diagram of the device of the application's process computer virus.
Embodiment
The following embodiment of the present invention provides the method and the device of process computer virus.Among the application embodiment because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources.
In order to make those skilled in the art person understand the technical scheme in the embodiment of the invention better; And make the above-mentioned purpose of the embodiment of the invention, feature and advantage can be more obviously understandable, below in conjunction with accompanying drawing technical scheme in the embodiment of the invention done further detailed explanation.
Referring to Fig. 1, be the first embodiment process flow diagram of the viral method of the application's process computer:
Step 101: some virus scan modes are set in advance, and some virus scan modes shared system resource when carrying out file scan is different.
Wherein, Some virus scan modes are according to occupying system resources series arrangement from small to large; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Wherein scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Carry out the engine scan mode of virus scan through antivirus engine.
Step 102: obtain file to be scanned.
Step 103:, call corresponding virus scan mode and treat scanning document and scan according to some virus scan mode occupying system resources order from small to large.
Wherein, When some virus scan modes comprise the first virus scan mode and the second virus scan mode at least; And the system resource that the first virus scan mode takies is during less than the second virus scan mode; The first virus scan mode of calling is earlier treated scanning document and is scanned; Obtain the definite file in the file to be scanned, other file that the second virus scan mode of calling is then only treated in the scanning document except that confirming file scans.Wherein, confirm that file refers to confirm as the file of malice file or non-malice file.
Concrete; When adopting internal memory scan mode, name single scan mode and engine scan mode to treat scanning document simultaneously to scan; At first the invoke memory scan mode is treated scanning document and is scanned; Acquisition comprises first first scanning result of confirming file; Calling a single scan mode then only treats in the scanning document and to remove first and confirm that other file of file scans; Acquisition comprises second second scanning result of confirming file; Call the engine scan mode at last and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Referring to Fig. 2, be the second embodiment process flow diagram of the viral method of the application's process computer, this embodiment describes in detail and adopts three kinds of scan modes to treat the process that scanning document scans:
Step 201: be provided with in advance according to the tactic from small to large internal memory scan mode of occupying system resources, name single scan mode and engine scan mode.
Wherein, The internal memory scan mode refers to carry out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path etc.; The name single scan mode refers to carry out virus scan through blacklist of preserving in advance and at least a list in the white list; The engine scan mode refers to carry out through antivirus engine the engine scan mode of virus scan.
Step 202: obtain file to be scanned.
Step 203: the invoke memory scan mode is treated scanning document and is scanned, and obtains to comprise first first scanning result of confirming file.
Obtain the file attribute information of file to be scanned, for example file size, file modification time and file path etc.System's file attribute record the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
The file attribute information of preserving in file attribute information and the buffer memory is mated; When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; File to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, file to be scanned is confirmed as other file that scans through the name single scan mode.Because file attribute information comprises multiple information, therefore when mating, can mate one by one each attribute information according to preset order, for example, first matching files size, next matching files modification time, last matching files path etc.Wherein, When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 204: call a single scan mode and only treat in the scanning document and to remove first and confirm that other file of file scans, obtain to comprise second second scanning result of confirming file.
When scanning through the blacklist of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the blacklist is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second malice file of confirming file; When scanning through the white list of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the white list is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second non-malice file of confirming file.
Wherein, white list safeguarded in client by the user usually, and the file that the user will confirm as non-malice joins in the white list to be preserved, information such as filename that can log file in the white list and file path; Blacklist is safeguarded by the antivirus software provider usually, according to monitoring the malice file of confirming is joined in the blacklist and preserves.
Step 205: call the engine scan mode and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
When adopting the engine scan mode that the residue file is scanned; The antivirus engine that can adopt can comprise: cloud killing engine; QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, arbitrarily existing already present antivirus engine such as little red umbrella antivirus engine.
Step 206:, confirm that with second file attribute of file and the 3rd definite file deposits in the buffer memory according to the scanning result of file to be scanned.
Because in this scanning process; Different with definite file of in buffer memory, preserving through the name single scan mode with the definite file in the scanning result that the engine scan mode obtains; Therefore in order further to improve virus scan speed next time; Confirm file and the 3rd file attribute of confirming file with second; Comprise that file size, file modification time and file path etc. record in the buffer memory, then can directly scan through the minimum internal memory scan mode of occupying system resources these files next time.
Referring to Fig. 3, be the 3rd embodiment process flow diagram of the viral method of the application's process computer, this embodiment shows in detail through the internal memory scan mode and treats the process that scanning document scans:
Step 301: preserve the scanning result of scanning document in the buffer memory in advance, this scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path.
Step 302: order is obtained a file in the file to be scanned.
Step 303: the file size, file modification time and the file path that obtain this document.
The file attribute record of system's file the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
Step 304: whether the file size of judging this document mates with the file size of preserving in advance, if then execution in step 305, otherwise, execution in step 309.
Step 305: whether the file modification time of judging this document mates with the file modification time of preserving in advance, if then execution in step 306; Otherwise, execution in step 309.
Step 306: whether the file path of judging this document mates with the file path of preserving in advance, if then execution in step 307; Otherwise, execution in step 309.
Step 307: this document is confirmed as malice file or non-malice file according to matching result.
When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; If the file attribute information corresponding file that be complementary in the internal memory this moment is the malice file; Then the scanning result of this document is the malice file; If the file attribute information corresponding file of mating in the internal memory is non-malice file, then the scanning result of this document is non-malice file.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 308: this document is confirmed as the file that need scan through other scan mode.
When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.At this moment, this document is described for scanning through other scan mode of removing the internal memory scan mode, for example, through the name single scan mode shown in the previous embodiment, and/or the engine scan mode.
Step 309: whether mated all files to be scanned, if, process ends then, otherwise, step 302 returned.
Visible by above-mentioned the application embodiment; When file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources, improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Corresponding with the embodiment of the method for the application's process computer virus, the application also provides the embodiment of the device of process computer virus.
Referring to Fig. 4, be the first embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 410, acquiring unit 420 and scanning element 430 are set.
Wherein, unit 410 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit 420 is used to obtain file to be scanned;
Wherein, the said some virus scan modes that are provided with in the unit 410 that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element 430 can specifically comprise (not shown among Fig. 4):
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Referring to Fig. 5, be the second embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 510, acquiring unit 520, scanning element 530 and storage unit 540 are set.
Wherein, unit 510 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different; Wherein, Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Through spending the engine scan mode that engine carries out virus scan less;
Acquiring unit 520 is used to obtain file to be scanned;
Concrete, first scanning element 531 can comprise (not shown among Fig. 5):
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Concrete, second scanning element 532 can comprise (not shown among Fig. 5):
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Description through to above embodiment can be known; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
The technology that those skilled in the art can be well understood in the embodiment of the invention can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme in the embodiment of the invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium; Like ROM/RAM, magnetic disc, CD etc.; Comprise that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for system embodiment, because it is basically similar in appearance to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Above-described embodiment of the present invention does not constitute the qualification to protection domain of the present invention.Any modification of within spirit of the present invention and principle, being done, be equal to replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. the method for process computer virus is characterized in that, some virus scan modes are set in advance, and said some virus scan modes shared system resource when carrying out file scan is different, and said method comprises:
Obtain file to be scanned;
According to said some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode said file to be scanned is scanned.
2. method according to claim 1; It is characterized in that; Said some virus scan modes comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Saidly call corresponding virus scan mode and said file to be scanned is scanned comprise:
Call the said first virus scan mode said file to be scanned is scanned, obtain the definite file in the said file to be scanned;
Calling the said second virus scan mode only scans other file except that said definite file in the said file to be scanned.
3. method according to claim 1 is characterized in that, said some virus scan modes comprise following dual mode at least according to occupying system resources series arrangement from small to large:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute information of confirming as malice file or non-malice file, and said file attribute information comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Carry out the engine scan mode of virus scan through antivirus engine.
4. method according to claim 3 is characterized in that, and is said according to some virus scan mode occupying system resources order from small to large, calls corresponding virus scan mode and file to be scanned is scanned comprises:
Call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file;
Call said name single scan mode and only confirm that to removing said first in the said file to be scanned other file of file scans, obtain to comprise second second scanning result of confirming file;
Call said engine scan mode only to confirming that except that said second the residue file the file scans in said other file, obtain to comprise the 3rd the 3rd scanning result of confirming file.
5. method according to claim 4 is characterized in that, adopts the internal memory scan mode that said file to be scanned is scanned and comprises:
Obtain the file attribute information of file to be scanned;
The file attribute information of preserving in said file attribute information and the buffer memory is mated;
When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
6. method according to claim 4 is characterized in that,
Blacklist through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said blacklist is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
White list through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said white list is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
7. method according to claim 4 is characterized in that, also comprises:
According to the scanning result of file to be scanned, confirm that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
8. the device of process computer virus is characterized in that said device comprises:
The unit is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit is used to obtain file to be scanned;
Scanning element is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
9. device according to claim 8; It is characterized in that; The said some virus scan modes that are provided with in the unit that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element comprises:
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
10. device according to claim 8 is characterized in that, said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement, comprise following dual mode at least:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Through spending the engine scan mode that engine carries out virus scan less.
11. device according to claim 10 is characterized in that, said scanning element comprises:
First scanning element is used to call said internal memory scan mode said file to be scanned is scanned, and obtains to comprise first first scanning result of confirming file;
Second scanning element is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file;
The 3rd scanning element is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file.
12. device according to claim 11 is characterized in that, first scanning element comprises:
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
13. device according to claim 11 is characterized in that, said second scanning element comprises at least one following unit:
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
14. device according to claim 11 is characterized in that, also comprises:
Storage unit is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110277746.3A CN102346827B (en) | 2011-09-19 | 2011-09-19 | Method and device for handling computer viruses |
| CN201410268281.9A CN104063662B (en) | 2011-09-19 | 2011-09-19 | Method and device for processing computer virus |
| US14/345,649 US20150020203A1 (en) | 2011-09-19 | 2012-09-19 | Method and device for processing computer viruses |
| PCT/CN2012/081574 WO2013041016A1 (en) | 2011-09-19 | 2012-09-19 | Method and device for processing computer viruses |
| US14/859,791 US10165001B2 (en) | 2011-09-19 | 2015-09-21 | Method and device for processing computer viruses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110277746.3A CN102346827B (en) | 2011-09-19 | 2011-09-19 | Method and device for handling computer viruses |
Related Child Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410268598.2A Division CN104063663A (en) | 2011-09-19 | 2011-09-19 | Computer virus scan method |
| CN201410268281.9A Division CN104063662B (en) | 2011-09-19 | 2011-09-19 | Method and device for processing computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102346827A true CN102346827A (en) | 2012-02-08 |
| CN102346827B CN102346827B (en) | 2014-11-05 |
Family
ID=45545496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110277746.3A Active CN102346827B (en) | 2011-09-19 | 2011-09-19 | Method and device for handling computer viruses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102346827B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102789562A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| WO2013041016A1 (en) * | 2011-09-19 | 2013-03-28 | 北京奇虎科技有限公司 | Method and device for processing computer viruses |
| CN103020524A (en) * | 2012-12-11 | 2013-04-03 | 北京奇虎科技有限公司 | Computer virus monitoring system |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN103093145A (en) * | 2013-01-18 | 2013-05-08 | 北京奇虎科技有限公司 | Method and device and system for scanning mobile storage device |
| CN103559443A (en) * | 2013-11-01 | 2014-02-05 | 北京奇虎科技有限公司 | Virus scanning method and device for multi-core device |
| CN104063662A (en) * | 2011-09-19 | 2014-09-24 | 北京奇虎科技有限公司 | Method and device for processing computer virus |
| CN104317955A (en) * | 2014-11-13 | 2015-01-28 | 北京奇虎科技有限公司 | File scanning method and device for storage space of mobile terminal |
| CN108133154A (en) * | 2017-12-25 | 2018-06-08 | 北京奇安信科技有限公司 | A kind of method and device stored to file |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1375775A (en) * | 2001-03-16 | 2002-10-23 | 联想(北京)有限公司 | Geteway level computer network virus preventing method and device |
| CN101651678A (en) * | 2009-09-11 | 2010-02-17 | 北京锐安科技有限公司 | Method and system for dynamically merging files and respectively executing merged PE files in network |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
-
2011
- 2011-09-19 CN CN201110277746.3A patent/CN102346827B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1375775A (en) * | 2001-03-16 | 2002-10-23 | 联想(北京)有限公司 | Geteway level computer network virus preventing method and device |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
| CN101651678A (en) * | 2009-09-11 | 2010-02-17 | 北京锐安科技有限公司 | Method and system for dynamically merging files and respectively executing merged PE files in network |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013041016A1 (en) * | 2011-09-19 | 2013-03-28 | 北京奇虎科技有限公司 | Method and device for processing computer viruses |
| US10165001B2 (en) | 2011-09-19 | 2018-12-25 | Beijing Qihoo Technology Company Limited | Method and device for processing computer viruses |
| CN104063662A (en) * | 2011-09-19 | 2014-09-24 | 北京奇虎科技有限公司 | Method and device for processing computer virus |
| CN102789562A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| WO2014012494A1 (en) * | 2012-07-19 | 2014-01-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining virus-infected files |
| CN102789562B (en) * | 2012-07-19 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| US9268939B2 (en) | 2012-07-19 | 2016-02-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining virus-infected files |
| CN103049695B (en) * | 2012-12-11 | 2015-12-09 | 北京奇虎科技有限公司 | A kind of method for supervising of computer virus and device |
| CN103020524A (en) * | 2012-12-11 | 2013-04-03 | 北京奇虎科技有限公司 | Computer virus monitoring system |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN103020524B (en) * | 2012-12-11 | 2015-08-05 | 北京奇虎科技有限公司 | Computer virus supervisory system |
| CN103093145A (en) * | 2013-01-18 | 2013-05-08 | 北京奇虎科技有限公司 | Method and device and system for scanning mobile storage device |
| CN103093145B (en) * | 2013-01-18 | 2016-01-13 | 北京奇虎科技有限公司 | A kind of methods, devices and systems scanning movable storage device |
| CN103559443B (en) * | 2013-11-01 | 2017-07-14 | 北京奇虎科技有限公司 | The virus scan method and apparatus of device for multi-core |
| CN103559443A (en) * | 2013-11-01 | 2014-02-05 | 北京奇虎科技有限公司 | Virus scanning method and device for multi-core device |
| CN104317955A (en) * | 2014-11-13 | 2015-01-28 | 北京奇虎科技有限公司 | File scanning method and device for storage space of mobile terminal |
| CN104317955B (en) * | 2014-11-13 | 2017-10-13 | 北京奇虎科技有限公司 | File scanning method and device in a kind of mobile terminal memory space |
| CN108133154A (en) * | 2017-12-25 | 2018-06-08 | 北京奇安信科技有限公司 | A kind of method and device stored to file |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102346827B (en) | 2014-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102346827B (en) | Method and device for handling computer viruses | |
| CN102279917B (en) | Multi-antivirus engine parallel antivirus method and system | |
| US20200177552A1 (en) | Methods and apparatus for malware threat research | |
| Homayoun et al. | A blockchain-based framework for detecting malicious mobile applications in app stores | |
| Crussell et al. | Scalable semantics-based detection of similar android applications | |
| CN103559443B (en) | The virus scan method and apparatus of device for multi-core | |
| CN102194072B (en) | Method, device and system used for handling computer virus | |
| US8914889B2 (en) | False alarm detection for malware scanning | |
| US20190147163A1 (en) | Inferential exploit attempt detection | |
| CN101414327B (en) | Method for file protection | |
| CN110717183B (en) | Virus checking and killing method, device, equipment and storage medium | |
| CN105844146B (en) | Method and device for protecting driver and electronic equipment | |
| CN113411314B (en) | Method and device for attracting attacker to access honeypot system and electronic device | |
| CN103384240A (en) | P2P active defense method and system | |
| Mansoori et al. | YALIH, yet another low interaction honeyclient | |
| CN102314571B (en) | Method and device for processing computer viruses | |
| CN107479874B (en) | DLL injection method and system based on Windows platform | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| CN106203105B (en) | File management method and device | |
| CN103473350A (en) | File processing method and equipment | |
| CN108268498B (en) | Processing method and device for batch crawler tasks | |
| CN102799812B (en) | Method and device for processing application program | |
| CN104063662A (en) | Method and device for processing computer virus | |
| CN104063663A (en) | Computer virus scan method | |
| US20230306114A1 (en) | Method and system for automatically generating malware signature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhou Hongdai Inventor after: Fu Fu Inventor after: Zou Guiqiang Inventor before: Fu Fu Inventor before: Zou Guiqiang |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: FU MIN ZOU GUIQIANG TO: ZHOU HONGYI FU MIN ZOU GUIQIANG |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211202 Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, high tech Zone, Binhai New Area, Tianjin Patentee after: 3600 Technology Group Co.,Ltd. Address before: The 4 layer 100025 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20230711 Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing Hongxiang Technical Service Co.,Ltd. Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, high tech Zone, Binhai New Area, Tianjin Patentee before: 3600 Technology Group Co.,Ltd. |
|
| TR01 | Transfer of patent right |