Summary of the invention
The embodiment of the present application provides a kind of method and device of process computer virus, kills virus and all All Files is scanned each time to solve existing antivirus engine, takies the problem of a large amount of system resources.
In order to solve the problems of the technologies described above, the embodiment of the present application discloses following technical scheme:
A method for process computer virus, sets in advance some virus scan modes, and described some virus scan modes are carrying out file shared system resource difference of when scanning, and described method comprises:
Obtain file to be scanned;
According to described some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode described file to be scanned is scanned.
Described some virus scan modes at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Describedly call corresponding virus scan mode described file to be scanned scanned and comprised:
Call described the first virus scan mode described file to be scanned is scanned, obtain the definite file in described file to be scanned;
Calling described the second virus scan mode only scans other file except described definite file in described file to be scanned.
Described some virus scan modes, according to occupying system resources order arrangement from small to large, comprise following at least two kinds of modes:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in buffer memory, described scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and described file attribute information comprises file size, file modification time and file path;
Carry out the name single scan mode of virus scan by least one list in blacklist and the white list preserved in advance;
Carry out the engine scan mode of virus scan by antivirus engine.
Described according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode file to be scanned is scanned and comprised:
Call described internal memory scan mode described file to be scanned is scanned, obtain the first scanning result that comprises first definite file;
Call described name single scan mode and only determine that to removing described first in described file to be scanned other file of file scans, and obtains the second scanning result that comprises second definite file;
Call described engine scan mode and only determine that to removing described second in described other file the residue file of file scans, and obtains the 3rd scanning result that comprises the 3rd definite file.
Adopt internal memory scan mode that described file to be scanned is scanned and comprised:
Obtain the file attribute information of file to be scanned;
Described file attribute information is mated with the file attribute information of preserving in buffer memory;
In the time that the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, described file to be scanned is defined as to malicious file or non-malicious file, in the time that the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
By the blacklist of preserving in advance, other file except described first definite file after the scanning of internal memory scan mode is scanned and is comprised:
The filename of preserving in advance in the filename of each file in described other file and described blacklist is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
By the white list of preserving in advance, other file except described first definite file after the scanning of internal memory scan mode is scanned and is comprised:
The filename of preserving in advance in the filename of each file in described other file and described white list is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Also comprise:
According to the scanning result of file to be scanned, determine that by described second the file attribute of file and the 3rd definite file deposits in buffer memory.
A device for process computer virus, described device comprises:
Setting unit, for setting in advance some virus scan modes, described some virus scan modes are carrying out file shared system resource difference of when scanning;
Acquiring unit, for obtaining file to be scanned;
Scanning element, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned.
The some virus scan modes that arrange in described setting unit at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Described scanning element comprises:
First calls scanning element, for calling described the first virus scan mode, described file to be scanned is scanned, and obtains the definite file in described file to be scanned;
Second calls scanning element, and for calling described the second virus scan mode, only to described file to be scanned, other file except described definite file scans, and obtains the second scanning result.
Some virus scan modes that described setting unit arranges are arranged from little arrival order according to occupying system resources, comprise following at least two kinds of modes:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in buffer memory, described scanning result comprises the file attribute that is defined as malicious file or non-malicious file, and described file attribute comprises file size, file modification time and file path;
Carry out the name single scan mode of virus scan by least one list in blacklist and the white list preserved in advance;
Carry out the engine scan mode of virus scan by few degree engine.
Described scanning element comprises:
The first scanning element, scans described file to be scanned for calling described internal memory scan mode, obtains the first scanning result that comprises first definite file;
The second scanning element, only determines that other file of file scans to described file to be scanned except described first for calling described name single scan mode, obtains and comprises second the second scanning result of determining file;
The 3rd scanning element, only determines that the residue file of file scans to described other file except described second for calling described engine scan mode, obtains and comprises the 3rd the 3rd scanning result of determining file.
The first scanning element comprises:
Information acquisition unit, for obtaining the file attribute information of file to be scanned;
Information matches unit, mates for the file attribute information that described file attribute information is preserved with buffer memory;
Result determining unit, while coupling for the file attribute of preserving with buffer memory when the file attribute of file to be scanned, described file to be scanned is defined as to malicious file or non-malicious file, in the time that the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
Described the second scanning element comprises at least one following unit:
Blacklist scanning element, for the filename of preserving in advance in the filename of each file of described other file and described blacklist is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
White list scanning element, for the filename of preserving in advance in the filename of each file of described other file and described white list is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Also comprise:
Storage unit, for according to the scanning result of described the second scanning element and the 3rd scanning element, determines that by described second the file attribute of file and the 3rd definite file deposits in buffer memory.
As can be seen from the above-described embodiment, in the embodiment of the present application, set in advance some virus scan modes, these virus scan modes are carrying out file shared system resource difference of when scanning, obtain file to be scanned, according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Application the embodiment of the present application is carried out virus scan to file, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Embodiment
The following embodiment of the present invention provides method and the device of process computer virus.In the embodiment of the present application due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource.
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and the above-mentioned purpose of the embodiment of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the embodiment of the present invention is described in further detail.
Referring to Fig. 1, the first embodiment process flow diagram for the method for the application's process computer virus:
Step 101: set in advance some virus scan modes, some virus scan modes are carrying out file shared system resource difference of when scanning.
Wherein, some virus scan modes are according to occupying system resources order arrangement from small to large, comprise following at least two kinds of modes: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in buffer memory, wherein scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path; Carry out the name single scan mode of virus scan by least one list in blacklist and the white list preserved in advance; Carry out the engine scan mode of virus scan by antivirus engine.
Step 102: obtain file to be scanned.
Step 103: according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.
Wherein, when some virus scan modes at least comprise the first virus scan mode and the second virus scan mode, and when the system resource that the first virus scan mode takies is less than the second virus scan mode, the first virus scan mode of first calling is treated scanning document and is scanned, obtain the definite file in file to be scanned, the second virus scan mode of then calling is only treated other file except determining file in scanning document and is scanned.Wherein, determine that file refers to be defined as the file of malicious file or non-malicious file.
Concrete, adopt internal memory scan mode when simultaneously, when name single scan mode and engine scan mode are treated scanning document and are scanned, first invoke memory scan mode is treated scanning document and is scanned, the first scanning result that acquisition comprises first definite file, then calling a single scan mode only treats in scanning document except first determines that other file of file scans, the second scanning result that acquisition comprises second definite file, finally call engine scan mode and only determine that to removing second in other file the residue file of file scans, the 3rd scanning result that acquisition comprises the 3rd definite file.
Referring to Fig. 2, be the second embodiment process flow diagram of the method for the application's process computer virus, this embodiment describes in detail and adopts three kinds of scan modes to treat the process that scanning document scans:
Step 201: set in advance according to occupying system resources tactic internal memory scan mode, name single scan mode and engine scan mode from small to large.
Wherein, internal memory scan mode refers to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path etc.; Name single scan mode refers to that at least one list in blacklist and the white list by preserving in advance carries out virus scan; Engine scan mode refers to be undertaken by antivirus engine the engine scan mode of virus scan.
Step 202: obtain file to be scanned.
Step 203: invoke memory scan mode is treated scanning document and scanned, obtains the first scanning result that comprises first definite file.
Obtain the file attribute information of file to be scanned, such as file size, file modification time and file path etc.In system file attribute record the attribute information such as file size, modification time and the file path of this file after being modified for the last time, attribute information carries out real-time update according to the amendment of file.
File attribute information is mated with the file attribute information of preserving in buffer memory, in the time that the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, file to be scanned is defined as to malicious file or non-malicious file, in the time that the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that file to be scanned is defined as scanning by name single scan mode.Because file attribute information comprises much information, therefore in the time mating, can mate one by one each attribute information according to preset order, for example, first matching files size, secondly matching files modification time, last matching files path etc.Wherein, in the time that all properties information of a certain file is all consistent with the file attribute information of preserving in buffer memory, the file attribute of just determining this file mates with the file attribute of preserving in buffer memory, in the time that the file attribute information of preserving in any one attribute information of a certain file and buffer memory is inconsistent, determine that the file attribute of this file does not mate with the file attribute of preserving in buffer memory.
Because internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, the definite file in the first scanning result therefore obtaining by coupling is according to last time scanning the file set that has been defined as malicious file and non-malicious file.Because memory information reading speed is fast, and the variation that in the twice sweep process of front and back, virus document occurs is little, therefore can carry out killing to the most of file in system by internal memory scan mode, has therefore promoted killing speed, has saved system resource.
Step 204: call a single scan mode and only treat in scanning document except first determines that other file of file scans, and obtains the second scanning result that comprises second definite file.
While scanning by the blacklist of preserving in advance, the filename of preserving in advance in the filename of each file in other file and blacklist is compared, in the time that the filename of certain file mates with the filename of preserving in advance, determine that certain file is the malicious file that belongs to second definite file; While scanning by the white list of preserving in advance, the filename of preserving in advance in the filename of each file in other file and white list is compared, in the time that the filename of certain file mates with the filename of preserving in advance, determine that certain file is the non-malicious file that belongs to second definite file.
Wherein, white list safeguarded in client by user conventionally, and user joins the file that is defined as non-malice in white list and preserves, the information such as filename and file path that can log file in white list; Blacklist is safeguarded by antivirus software provider conventionally, according to monitoring, definite malicious file is joined in blacklist and is preserved.
Step 205: call engine scan mode and only determine that to removing second in other file the residue file of file scans, and obtains the 3rd scanning result that comprises the 3rd definite file.
While adopting engine scan mode to scan residue file, the antivirus engine that can adopt can comprise: cloud killing engine, QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, little red umbrella antivirus engine etc. are existing already present antivirus engine arbitrarily.
Step 206: according to the scanning result of file to be scanned, determine that by second file attribute of file and the 3rd definite file deposits in buffer memory.
In this scanning process, definite file in the scanning result obtaining with engine scan mode by name single scan mode is different from definite file of preserving in buffer memory, therefore in order further to improve virus scan speed next time, second definite file and the 3rd is determined to the file attribute of file, comprise that file size, file modification time and file path etc. are recorded in buffer memory, can directly scan by the minimum internal memory scan mode of occupying system resources these files next time.
Referring to Fig. 3, be the 3rd embodiment process flow diagram of the method for the application's process computer virus, this embodiment shows in detail by internal memory scan mode and treats the process that scanning document scans:
Step 301: preserve in advance the scanning result of scanning document in buffer memory, this scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path.
Step 302: order is obtained a file in file to be scanned.
Step 303: the file size, file modification time and the file path that obtain this file.
In system the file attribute record of file the attribute information such as file size, modification time and the file path of this file after being modified for the last time, attribute information carries out real-time update according to the amendment of file.
Step 304: whether the file size that judges this file mates with the file size of preserving in advance, if so, performs step 305, otherwise, execution step 309.
Step 305: the file modification time that judges this file whether with the file modification time match of preserving in advance, if so, perform step 306; Otherwise, execution step 309.
Step 306: whether the file path that judges this file mates with the file path of preserving in advance, if so, performs step 307; Otherwise, execution step 309.
Step 307: this file is defined as to malicious file or non-malicious file according to matching result.
In the time that all properties information of a certain file is all consistent with the file attribute information of preserving in buffer memory, the file attribute of just determining this file mates with the file attribute of preserving in buffer memory, if the file that the file attribute information now matching in internal memory is corresponding is malicious file, the scanning result of this file is malicious file, if the file that the file attribute information mating in internal memory is corresponding is non-malicious file, the scanning result of this file is non-malicious file.
Because internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, the definite file in the first scanning result therefore obtaining by coupling is according to last time scanning the file set that has been defined as malicious file and non-malicious file.Because memory information reading speed is fast, and the variation that in the twice sweep process of front and back, virus document occurs is little, therefore can carry out killing to the most of file in system by internal memory scan mode, has therefore promoted killing speed, has saved system resource.
Step 308: this file is defined as to the file that need to scan by other scan mode.
In the time that the file attribute information of preserving in any one attribute information of a certain file and buffer memory is inconsistent, determine that the file attribute of this file does not mate with the file attribute of preserving in buffer memory.Now, illustrate that this file is to scan by other scan mode except internal memory scan mode, for example, by the name single scan mode shown in previous embodiment, and/or engine scan mode.
Step 309: whether mate all files to be scanned, if so, process ends, otherwise, return to step 302.
From above-mentioned the embodiment of the present application, in the time that file is carried out to virus scan, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Corresponding with the embodiment of the method for the application's process computer virus, the application also provides the embodiment of the device of process computer virus.
Referring to Fig. 4, the first embodiment block diagram for the device of the application's process computer virus:
This device comprises: setting unit 410, acquiring unit 420 and scanning element 430.
Wherein, setting unit 410, for setting in advance some virus scan modes, described some virus scan modes are carrying out file shared system resource difference of when scanning;
Acquiring unit 420, for obtaining file to be scanned;
Scanning element 430, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned.
Wherein, the some virus scan modes that arrange in described setting unit 410 at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Described scanning element 430 can specifically comprise (not shown in Fig. 4):
First calls scanning element, for calling described the first virus scan mode, described file to be scanned is scanned, and obtains the definite file in described file to be scanned;
Second calls scanning element, and for calling described the second virus scan mode, only to described file to be scanned, other file except described definite file scans, and obtains the second scanning result.
Referring to Fig. 5, the second embodiment block diagram for the device of the application's process computer virus:
This device comprises: setting unit 510, acquiring unit 520, scanning element 530 and storage unit 540.
Wherein, setting unit 510, for setting in advance some virus scan modes, described some virus scan modes are carrying out file shared system resource difference of when scanning; Wherein, some virus scan modes that described setting unit arranges are arranged from little arrival order according to occupying system resources, comprise following at least two kinds of modes: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in buffer memory, described scanning result comprises the file attribute that is defined as malicious file or non-malicious file, and described file attribute comprises file size, file modification time and file path; Carry out the name single scan mode of virus scan by least one list in blacklist and the white list preserved in advance; Carry out the engine scan mode of virus scan by few degree engine;
Acquiring unit 520, for obtaining file to be scanned;
Scanning element 530, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned; This scanning element 530 can comprise: the first scanning element 531, for calling described internal memory scan mode, described file to be scanned is scanned, and obtain the first scanning result that comprises first definite file; The second scanning element 532, only determines that other file of file scans to described file to be scanned except described first for calling described name single scan mode, obtains and comprises second the second scanning result of determining file; The 3rd scanning element 533, only determines that the residue file of file scans to described other file except described second for calling described engine scan mode, obtains and comprises the 3rd the 3rd scanning result of determining file;
Storage unit 540, for according to the scanning result of described the second scanning element and the 3rd scanning element, determines that by described second the file attribute of file and the 3rd definite file deposits in buffer memory.
Concrete, the first scanning element 531 can comprise (not shown in Fig. 5):
Information acquisition unit, for obtaining the file attribute information of file to be scanned;
Information matches unit, mates for the file attribute information that described file attribute information is preserved with buffer memory;
Result determining unit, while coupling for the file attribute of preserving with buffer memory when the file attribute of file to be scanned, described file to be scanned is defined as to malicious file or non-malicious file, in the time that the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
Concrete, the second scanning element 532 can comprise (not shown in Fig. 5):
Blacklist scanning element, for the filename of preserving in advance in the filename of each file of described other file and described blacklist is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
White list scanning element, for the filename of preserving in advance in the filename of each file of described other file and described white list is compared, in the time that the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Known by the description to above embodiment, in the embodiment of the present application, set in advance some virus scan modes, these virus scan modes are carrying out file shared system resource difference of when scanning, obtain file to be scanned, according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Application the embodiment of the present application is carried out virus scan to file, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Those skilled in the art can be well understood to the mode that technology in the embodiment of the present invention can add essential general hardware platform by software and realize.Based on such understanding, the part that technical scheme in the embodiment of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions (can be personal computers in order to make a computer equipment, server, or the network equipment etc.) carry out the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is and the difference of other embodiment.Especially,, for system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
Above-described embodiment of the present invention, does not form limiting the scope of the present invention.Any amendment of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.