CN102592103A - Secure file processing method, equipment and system - Google Patents
Secure file processing method, equipment and system Download PDFInfo
- Publication number
- CN102592103A CN102592103A CN2011100087016A CN201110008701A CN102592103A CN 102592103 A CN102592103 A CN 102592103A CN 2011100087016 A CN2011100087016 A CN 2011100087016A CN 201110008701 A CN201110008701 A CN 201110008701A CN 102592103 A CN102592103 A CN 102592103A
- Authority
- CN
- China
- Prior art keywords
- file
- target
- terminal
- characteristic information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a secure file processing method. The secure file processing method comprises the following steps: a terminal collects file attribute information of a local target PE (portable execute) file when the terminal starts the anti-virus function, and calculates a file feature code of the target PE file; the terminal transmits the feature information of the target PE file to a server; the server compares the received feature information with a preset standard file feature library to determine whether the target PE file is infected by virus, generates different processing strategies according to the determination result, and transmits the processing strategies to the terminal; and the terminal processes the target PE file according to the received processing strategies. The invention also relates to a secure file processing system, a terminal, a server and probe equipment. According to the invention, the method can clean file-type viruses and repair the infected files based on the cloud computing environment without frequently upgrading the virus feature library, can clean unknown viruses and repair the infected files, and has the advantage of less user terminal resource occupied.
Description
Technical field
The present invention relates to the internet, applications technology and the communication technology, relate in particular to file security processing, equipment and system under a kind of cloud computing environment.
Background technology
Along with the deep development of all trades and professions IT application process, the internet in the application in each field more and more widely.Prosperity along with development of internet technology and network economy; People are when utilizing the internet to obtain all kinds of software resources and useful information; Also the someone utilizes and propagates each viroid between these resources computing machine on the internet; Comprise Miscellaneous Documents type virus, network worm etc., steal useful data or information, destruction service or data to reach it, expend hidden purposes such as system resource.
At present, to the existing method of carrying out detection and Identification of network worm according to network traffics.And File Infector Virus is because parasitize in the useful program of user, and virus mutation is various, and detection difficult directly influences the use of user terminal during virus outburst, cause great inconvenience to the user, also brings very big risk to its privacy and interests.
Existing most of checking and killing virus software is based on virus signature and combines artificial mode to carry out killing.On user terminal, store the virus characteristic storehouse, when antivirus engine carries out checking and killing virus, with in the program body with feature database in condition code compare, judge whether infective virus.If the program file infective virus is then handled infected file according to infecting different situations,, then can recover original program file through the deletion viral code as infecting not too complicated virus; Viral code as infecting is complicated, then can only delete the whole procedure file or isolate this document.
For File Infector Virus killing technical scheme of the prior art, there are following four kinds of defectives at least:
(1) need frequent upgrading virus characteristic storehouse: the terminal depends on viral code and the local virus characteristic storehouse that stores in advance in the program body to the detection and the killing of virus; Therefore along with viral code upgrades frequently, be used for the also frequent upgrading of needs of viral code storehouse of anti-virus comparison;
(2) be difficult to discern unknown virus: the most crucial part of antivirus engine work is the code comparison; And when taking place to infect for the virus that in the virus characteristic storehouse of presetting, does not have corresponding code, antivirus engine then can only carry out some trial property killings according to the actual viral code in the program body; To today that virus mutation becomes more diverse, traditional antivirus software is too tired to deal with;
(3) cause the file of infection unavailable easily: because the complicacy and the encryption of virus; Even anti-virus software identifies the viral code in the program body usually, but the encryption technology complicacy that adopts owing to viral code is difficult to decrypt the required valid data of recovery routine file; Usually anti-virus software is in order to prevent virus subinfection again, can only adopt the mode of isolating or deleting whole original file to handle;
(4) occupying system resources is big: because detection, comparison, analysis and the processing of virus all accomplish on user terminal, so consume user terminal CPU and the RAM resource is big.
Summary of the invention
The objective of the invention is to propose a kind of file security disposal route, equipment and system; Can carry out killing to File Infector Virus based on cloud computing environment; And the file that infects repaired, and killing also can be carried out to unknown virus in the virus characteristic storehouse of need not frequently upgrading; And can repair infected file, take the resource of less user terminal.
For realizing above-mentioned purpose, the invention provides a kind of file security disposal route, comprising:
When the starting terminal anti-virus functionality, gather the file attribute information that local target portable can be carried out the PE file, and calculate the file characteristic sign indicating number of target P E file;
The terminal sends to server with the characteristic information of said target P E file, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
Said server is compared characteristic information that receives and the normative document feature database that presets, and whether judges said target P E file by virus infections, and generates different processing policies according to judged result, and distributes said terminal;
The processing of target P E file is carried out according to the said processing policy that receives in said terminal.
For realizing above-mentioned purpose, the invention provides a kind of terminal based on cloud computing environment, comprising:
The attribute information acquisition module is used for when said starting terminal anti-virus functionality, gathering the file attribute information of local target P E file;
The condition code computing module is used to calculate the file characteristic sign indicating number of target P E file;
The characteristic information sending module is used for the characteristic information of said target P E file is sent to server, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
The strategy receiver module is used to receive the processing policy that said server returns;
The strategy processing module is used for carrying out the processing of target P E file according to the said processing policy that receives.
For realizing above-mentioned purpose, the invention provides a kind of server based on cloud computing environment, comprising:
The characteristic information receiver module is used for the characteristic information of the target P E file that receiving terminal sends, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
The normative document feature database is used for preserving the condition code and the file attribute information of general PE file in internet and PE file;
The characteristic information comparing module is used for characteristic information that receives and the normative document feature database that presets are compared, and judges that whether said target P E file is by virus infections;
Processing policy is distributed module, is used for generating different processing policies according to judged result, and distributes said terminal.
For realizing above-mentioned purpose, the invention provides a kind of probe device based on cloud computing environment, comprising:
The fileinfo receiver module is used for the associated documents information of the target P E file that the reception server section sends;
Characteristic information is collected module, is used at cloud computing environment the characteristic information of said target P E file being collected;
Characteristic information returns module, is used for returning to said server the characteristic information of said target P E file.
For realizing above-mentioned purpose, the present invention also provides a kind of file security disposal system, comprises aforementioned terminals and server, and said terminal links to each other with server.
Based on technique scheme; The characteristics that the present invention shares according to interconnected internet resource are compared the PE file of this locality and the clean file on the internet and are carried out the killing of virus; And can repair the file that infects according to the clean file of internet, and killing also can be carried out to unknown virus in the virus characteristic storehouse of need not frequently upgrading; The killing process is mainly accomplished at network side, therefore only need take the resource of less user terminal.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the schematic flow sheet of an embodiment of file security disposal route of the present invention.
Fig. 2 is the schematic flow sheet of another embodiment of file security disposal route of the present invention.
Fig. 3 is the structural representation of an embodiment of file security disposal system of the present invention.
Fig. 4 is the structural representation of another embodiment of file security disposal system of the present invention.
Embodiment
Through accompanying drawing and embodiment, technical scheme of the present invention is done further detailed description below.
File Infector Virus among the present invention is meant the virus of the PE file (portable executable file, Portable executable file comprise that system can carry out or pass through the executable file of link, like COM, EXE, SYS and dll file) that can infect on the disk.The common file attribute relative fixed of this class file also is the master file type that the parasitics file virus is implemented infection.File Infector Virus infect mainly be through revised file specific part code (as the EXE file header the 02nd, 04, the value of the word of 0E, 10H, 14H, 16H) mode and the execution that viral code is able to have precedence over program file when viral code inserted file body and make the program file operation reside at internal memory.
The Internet era File Infector Virus main path that infects be the resource sharing between user terminal on the internet; Therefore theoretical foundation of the present invention also is that PE file in the user terminal on the internet all can find respective copies on the internet, and on the internet PE file (clean file) probability of obtainable uninfection more than infected PE file.In addition, the user can not revise the code of PE file usually.
Of Fig. 1, be the schematic flow sheet of an embodiment of file security disposal route of the present invention.In the present embodiment, the file security treatment scheme comprises:
The processing of target P E file is carried out according to the said processing policy that receives in step 105, said terminal.
In the present embodiment; The function that virus detects is no longer carried out killing through the antivirus engine at terminal; But carry out killing through the server of network side, this mode need frequently not upgraded to the antivirus engine and the virus base at terminal, and the groundwork process of killing is also mainly accomplished at network side; So not only save resources such as shared CPU of the checking and killing virus of end side and internal memory greatly, also utilized the express-analysis processing power under the cloud computing environment fully.This mode is particularly useful for the limited portable terminal of some functional resources.
On the mode of killing; The present invention has adopted the method for the direct comparison of characteristic information of sending with the characteristic information of the clean file of preserving in the normative document feature database and terminal; This method is not the angle from the identification virus code, but judges directly whether target P E file infects, and the mode that this virus detects is more directly perceived efficient; For the situation that virus on the present network constantly updates and makes a variation, still can accurately judge file and whether infected.
In the present embodiment; The terminal of step 102 sends to server with the characteristic information of target P E file; Wherein characteristic information comprises the modification information of file attribute information, and this modification information mainly is the source document attribute information that combines to confirm target P E file with the current file attribute of target P E file.This modification information needs the terminal constantly to follow the tracks of and record.
In another embodiment, referring to Fig. 2, the comparison deterministic process can specifically may further comprise the steps in step 103:
Step 201, server are according to the file attribute information of the target P E file that receives and the source document attribute information that the file attribute change record is confirmed target P E file; File attribute information can comprise information such as filename, extension name, document creation time and file size, can increase or deletes above-mentioned file attribute information as required.
Step 202, server are compared the file characteristic sign indicating number and the source document attribute information of target P E file respectively with the file characteristic sign indicating number and the file attribute information of normative document feature database file; The normative document feature database can be preserved the file characteristic sign indicating number that is calculated by file in advance, and need not when each comparison, to recomputate, and has so also improved comparison efficiency.
If step 203 file characteristic sign indicating number and file attribute information are in full accord, confirm that then target P E file is not by virus infections;
If step 204 file attribute information is consistent, and the file characteristic sign indicating number is inconsistent, confirm that then target P E file is by virus infections.
For different judged results, server will produce different processing policies, for the target P E file of confirming in the step 203 not by the situation of virus infections, but execution in step 205 then; For the target P E file of confirming in the step 204 by the situation of virus infections, but execution in step 206 then;
Step 205, server do not process or return the not infected prompting of expression file to the terminal;
Step 206, server generate the download address of corresponding file in the normative document feature database, and are issued to the terminal.
For the inconsistent situation of file attribute information; That is to say the pairing file of source document attribute information that in mark file characteristic storehouse, does not find target P E file; This moment, server can send to the associated documents information of target P E file each probe device (step 207) under the cloud computing environment; The associated documents information here can be the file attribute information of target P E file and the change record of file attribute, or the source document attribute information of target P E file;
Step 208, probe device are collected the characteristic information of said target P E file in cloud computing environment, and send to said server;
Step 209, server gather the characteristic information of collecting, and the characteristic information of the said target P E file that sends with said terminal is compared.
When server is compared characteristic information in step 209; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that surpasses the preset first ratio a% (for example>70%) returns; Then confirm target P E file not by virus infections (step 210), execution in step 212; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that is lower than the preset second ratio b% (for example<50%) returns, then confirm target P E file by virus infections (step 211), execution in step 213.
Step 212, server do not process or return the not infected prompting of expression file to the terminal;
Said terminal is issued with the download address in said probe device source then as the file loading source in the probe device source that has maximum similar proportion in the characteristic information that step 213, server are returned said probe device.
If the characteristic information of the said target P E file that send at said terminal be higher than preset second ratio and (for example>50% be lower than first ratio; And the characteristic information that said probe device<70%) returns is identical; Can confirm that then target P E file is doubtful by virus infections (step 214); And return expression file doubtful infected prompting to said terminal; Said terminal (step 215) is issued with the download address in said probe device source then as the file loading source in the probe device source that has maximum similar proportion in the characteristic information that said probe device is returned according to the operation at said terminal then.
In the above embodiments; Probe device is responsible for when the normative document feature database of server is not preserved the pairing clean file of target P E file; Under cloud computing environment, search for, owing to can dispose many probes, what these probes were parallel searches for; Therefore not only can in the internet, search for wider scope; And the efficient of search is also than higher, and server gathers according to probe device backout feature information, and its thinking that gathers also mainly is to judge whether the characteristic information ratio identical with the characteristic information of target P E file that probe device returns can reach the certain proportion of the characteristic information of similar total reporting file.The front mentioned the present invention based on the infected theoretical foundation of file be that the probability of the obtainable PE of infection file on the internet will be higher than infected PE file; Therefore through this comparison process that gathers, whether server can be determined target P E file with higher accuracy rate and infected.
In gathering comparison process, first ratio that is adopted and second ratio are not limited to above-mentioned 50%, 70% the example of takeing, but can constantly adjust according to the statistics of using the result, so that keep higher judging nicety rate.In addition; If when comparison is first ratio or second ratio just; Can select judged result according to actual conditions; The characteristic information ratio of for example returning when probe device identical with the characteristic information of target P E file reach just similar total reporting file characteristic information 50%, then can not confirm as infection, also can confirm as doubtful infection.
Can not directly confirm the situation whether target P E file infects for some; The present invention is defined as doubtful the infection with this situation, and gives the user with this information indicating, is judged by user's own; File is clean file if the user believes firmly this target P E; What then need not handle, whether file is infected if the user can not conclude this target P E, and worries the threat of virus to system; Can obtain the corresponding source probe of characteristic information of the maximum similar proportion that probe finds out from server, replace local target P E file so that download corresponding file through source probe.The characteristic information corresponding file of the maximum similar proportion that probe device found out (promptly being identified as clean file) can download to the normative document feature database of server and preserve; Thereby constantly the normative document feature database is expanded, for the user provides checking and killing virus function more easily.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of programmed instruction; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
As shown in Figure 3, be the structural representation of an embodiment of file security disposal system of the present invention.In the present embodiment, the file security disposal system comprises continuous terminal 1 and server 2.Terminal 1 and server 2 all are based on the equipment of cloud computing environment, and terminal 1 can be all kinds of computing machines of deploying client, also can be the mobile device of having disposed client.2 of servers are the equipment that is deployed in network side, can be an equipment that focuses on, and also can be that multiple devices carry out distributed treatment.
Terminal 1 can specifically comprise: attribute information acquisition module 11, condition code computing module 12, characteristic information sending module 13, tactful receiver module 14 and tactful processing module 15.Wherein attribute information acquisition module 11 is responsible for when said starting terminal anti-virus functionality, gathering the file attribute information of local target P E file.Condition code computing module 12 is responsible for calculating the file characteristic sign indicating number of target P E file.Characteristic information sending module 13 is responsible for the characteristic information of said target P E file is sent to server, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record.Strategy receiver module 14 is responsible for receiving the processing policy that said server returns.Strategy processing module 15 is responsible for carrying out the processing of target P E file according to the said processing policy that receives.
In another embodiment, the terminal can also comprise the modification information logging modle, and this module is responsible for following the tracks of the also operation of the modification information of the file attribute information of record object PE file.
In another embodiment, compare with a last embodiment, the characteristic information comparing module 23 in the server 2 can specifically comprise: attribute information is confirmed unit, condition code comparing unit, attribute information comparing unit and the first file situation confirmation unit.Attribute information confirms that the unit is used for according to the file attribute information of the target P E file that receives and the source document attribute information that the file attribute change record is confirmed said target P E file.The condition code comparing unit is used for the file characteristic sign indicating number of the file characteristic sign indicating number of said target P E file and said normative document feature database 22 file is compared.The attribute information comparing unit is used for the file attribute information of the source document attribute information of said target P E file and said normative document feature database 22 file is compared.If the first file situation confirmation unit is used for said file characteristic sign indicating number and file attribute information is in full accord, confirm that then said target P E file is not by virus infections; If said file attribute information is consistent, and said file characteristic sign indicating number is inconsistent, confirm that then said target P E file is by virus infections.
Processing policy in the server 2 is distributed module 24 and can specifically be comprised: do not infect Tip element, the first download address generation unit and address and issue the unit.When not infecting Tip element and being used for confirming target P E file, return the not infected prompting of expression file to the terminal not by virus infections.When the first download address generation unit is used for confirming target P E file by virus infections, generate the download address of corresponding file in the said normative document feature database 22.The address issues the unit and is used for said download address is issued to said terminal.
Accordingly, the tactful processing module 16 at terminal 1 can specifically comprise: file isolated location, file delete unit and clean file download unit.The file isolated location is used to isolate by virus infections or doubtful by the target P E file of virus infections.The file delete unit is used to delete by virus infections or doubtful by the target P E file of virus infections.The download address of the clean file that clean file download unit is used for providing according to said server is carried out file and is downloaded.
As shown in Figure 4, be the structural representation of another embodiment of file security disposal system of the present invention.Compare with a last embodiment, present embodiment has also increased the probe device 3 based on cloud computing environment, and this probe device 3 comprises that specifically fileinfo receiver module 31, characteristic information are collected module 32 and characteristic information returns module 33.Wherein fileinfo receiver module 31 is responsible for the associated documents information of the target P E file of reception server section transmission.Characteristic information is collected module 32 and is responsible in cloud computing environment, the characteristic information of said target P E file being collected.Characteristic information returns the characteristic information that module 33 is responsible for returning to said server said target P E file.
Accordingly, server 2 can also comprise: file collection instruction issues module 25, characteristic information receiver module 26 and information gathers and comparing module 27.Wherein, File is collected instruction and is issued module 25 and be used for when said normative document feature database does not find the pairing file of source document attribute information of said target P E file, and the associated documents information of said target P E file is sent to the probe device 3 under the cloud computing environment.Characteristic information receiver module 26 is used to receive the characteristic information that said each probe device 3 is collected.Information gathers and comparing module 27 is used for the characteristic information of collecting is gathered, and the characteristic information of the said target P E file that sends with said terminal is compared.
Further, information gathers and comparing module can specifically comprise: the characteristic information comparing unit is used for the characteristic information that characteristic information and said probe device with said target P E file return and compares; The second file situation confirmation unit, if the characteristic information of the said target P E file that is used for said terminal sending is identical with the characteristic information that the said probe device that surpasses preset first ratio returns, then definite target P E file is not by virus infections; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that is lower than preset second ratio returns, confirm that then target P E file is by virus infections.Wherein, The characteristic information of the said target P E file that the said second file situation confirmation unit can also be used for sending when said terminal be higher than preset second ratio and be lower than characteristic information that the said probe device of first ratio returns when identical, affirmation target P E file is doubtful by virus infections.
Said processing policy is distributed module and can also be comprised: the second download address generation unit; When being used for confirming target P E file by virus infections; The probe device source that has maximum similar proportion in the characteristic information that said probe device is returned generates the download address in this probe device source as the file loading source.Wherein, said processing policy is distributed module and can also be comprised: doubtful infection Tip element is used for returning the doubtful infected prompting of expression file to said terminal.
In sum; File security disposal route provided by the present invention and system embodiment have advance on technical concept; Employing based on cloud computing environment; Improve the pick-up rate of file destination search on the one hand, promoted the efficient of checking and killing virus on the other hand, greatly alleviated the resource occupation of client.
The present invention is comparatively novel unique on the method for killing virus, is mainly reflected in following three aspects:
1, the thinking of checking and killing virus is not to start with from virus signature, but the characteristics of sharing according to interconnected internet resource come with the internet on clean file compare.This thought of coping with shifting events by sticking to a fundamental principle has solved virus and has constantly updated and be difficult to detect the problem with killing.
2, infecting processing policy no longer is to resemble only to rely on local antivirus engine processing power traditional anti-virus software and infected file is isolated or deletion; But the characteristics of fully sharing by the internet environment resource are carried out the reparation replacement of internet type to the file destination that infects.
3, system architecture of the present invention makes full use of the express-analysis processing power of collection probe and cloud computing platform a large amount of under the cloud computing environment, generates processing policy fast and feeds back to client, client resource is taken few.
Along with the 3G application and development, the virus problems on the intelligent terminal can be given prominence to day by day.The present invention will be particularly useful for the checking and killing virus on the portable terminal, bring into play bigger effect.And if the cloud computing platform of the present invention and telecom operators integrates, the Internet user who then also can be telecom operators provides the cloud security service.
Should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not to its restriction; Although with reference to preferred embodiment the present invention has been carried out detailed explanation, the those of ordinary skill in affiliated field is to be understood that: still can specific embodiments of the invention make amendment or the part technical characterictic is equal to replacement; And not breaking away from the spirit of technical scheme of the present invention, it all should be encompassed in the middle of the technical scheme scope that the present invention asks for protection.
Claims (20)
1. file security disposal route comprises:
When the starting terminal anti-virus functionality, gather the file attribute information that local target portable can be carried out the PE file, and calculate the file characteristic sign indicating number of target P E file;
The terminal sends to server with the characteristic information of said target P E file, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
Said server is compared characteristic information that receives and the normative document feature database that presets, and whether judges said target P E file by virus infections, and generates different processing policies according to judged result, and distributes said terminal;
The processing of target P E file is carried out according to the said processing policy that receives in said terminal.
2. file security disposal route according to claim 1 wherein, also comprises: the operation of the modification information of the file attribute information of tracking terminal and record object PE file.
3. file security disposal route according to claim 1, wherein, said server is compared characteristic information that receives and the normative document feature database that presets, and judges whether said target P E file is specially by the operation of virus infections:
Said server is according to the file attribute information of the target P E file that receives and the source document attribute information that the file attribute change record is confirmed said target P E file;
Said server is compared the file characteristic sign indicating number and the source document attribute information of said target P E file respectively with the file characteristic sign indicating number and the file attribute information of said normative document feature database file;
If said file characteristic sign indicating number and file attribute information are in full accord, confirm that then said target P E file is not by virus infections;
If said file attribute information is consistent, and said file characteristic sign indicating number is inconsistent, confirm that then said target P E file is by virus infections.
4. file security disposal route according to claim 3 wherein, saidly generates different processing policies according to judged result, and the operation of distributing said terminal is specially:
If confirm target P E file, then do not process or return the not infected prompting of expression file not by virus infections;
If confirm that target P E file by virus infections, then generates the download address of corresponding file in the said normative document feature database, and is issued to said terminal.
5. file security disposal route according to claim 3; Wherein, If in said normative document feature database, do not find the pairing file of source document attribute information of said target P E file, then said server sends to each probe device under the cloud computing environment with the associated documents information of said target P E file;
Said probe device is collected the characteristic information of said target P E file in cloud computing environment, and sends to said server;
Said server gathers the characteristic information of collecting, and the characteristic information of the said target P E file that sends with said terminal is compared.
6. file security disposal route according to claim 5; Wherein said server is when the comparison characteristic information; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that surpasses preset first ratio returns; Confirm that then target P E file not by virus infections, does not then process or return the not infected prompting of expression file; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that is lower than preset second ratio returns; Confirm that then target P E file is by virus infections; And said terminal is issued with the download address in said probe device source then as the file loading source in the probe device source that has maximum similar proportion in the characteristic information that said probe device is returned.
7. file security disposal route according to claim 6; If the characteristic information of the said target P E file that send at wherein said terminal be higher than second ratio of presetting and be lower than the characteristic information that the said probe device of first ratio returns identical; Confirm that then target P E file is doubtful by virus infections; And return expression file doubtful infected prompting to said terminal; Said terminal is issued with the download address in said probe device source then as the file loading source in the probe device source that has maximum similar proportion in the characteristic information that said probe device is returned according to the operation at said terminal then.
8. according to the arbitrary described file security disposal route of claim 1~7, the file attribute information of wherein said target P E file comprises filename, extension name, document creation time and file size.
9. terminal based on cloud computing environment comprises:
The attribute information acquisition module is used for when said starting terminal anti-virus functionality, gathering the file attribute information of local target P E file;
The condition code computing module is used to calculate the file characteristic sign indicating number of target P E file;
The characteristic information sending module is used for the characteristic information of said target P E file is sent to server, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
The strategy receiver module is used to receive the processing policy that said server returns;
The strategy processing module is used for carrying out the processing of target P E file according to the said processing policy that receives.
10. terminal according to claim 9 wherein, also comprises:
The modification information logging modle is used to follow the tracks of the also operation of the modification information of the file attribute information of record object PE file.
11. terminal according to claim 9, wherein, said tactful processing module specifically comprises:
The file isolated location is used to isolate by virus infections or doubtful by the target P E file of virus infections;
The file delete unit is used to delete by virus infections or doubtful by the target P E file of virus infections;
Clean file download unit, the download address of the clean file that is used for providing according to said server is carried out file and is downloaded.
12. the server based on cloud computing environment comprises:
The characteristic information receiver module is used for the characteristic information of the target P E file that receiving terminal sends, and said characteristic information comprises file characteristic sign indicating number, file attribute information and file attribute change record;
The normative document feature database is used for preserving the condition code and the file attribute information of general PE file in internet and PE file;
The characteristic information comparing module is used for characteristic information that receives and the normative document feature database that presets are compared, and judges that whether said target P E file is by virus infections;
Processing policy is distributed module, is used for generating different processing policies according to judged result, and distributes said terminal.
13. server according to claim 12, wherein, said characteristic information comparing module specifically comprises:
Attribute information is confirmed the unit, is used for according to the file attribute information of the target P E file that receives and the source document attribute information that the file attribute change record is confirmed said target P E file;
The condition code comparing unit is used for the file characteristic sign indicating number of said target P E file and the file characteristic sign indicating number of said normative document feature database file are compared;
The attribute information comparing unit is used for the source document attribute information of said target P E file and the file attribute information of said normative document feature database file are compared;
The first file situation confirmation unit, if be used for said file characteristic sign indicating number and file attribute information in full accord, confirm that then said target P E file is not by virus infections; If said file attribute information is consistent, and said file characteristic sign indicating number is inconsistent, confirm that then said target P E file is by virus infections.
14. server according to claim 13, wherein, said processing policy is distributed module and is specifically comprised:
Do not infect Tip element, when being used for confirming target P E file, return the not infected prompting of expression file to the terminal not by virus infections;
The first download address generation unit when being used for confirming target P E file by virus infections, generates the download address of corresponding file in the said normative document feature database;
The address issues the unit, is used for said download address is issued to said terminal.
15. server according to claim 14 wherein, also comprises:
File is collected instruction and is issued module; Be used for when said normative document feature database does not find the pairing file of source document attribute information of said target P E file, the associated documents information of said target P E file is sent to each probe device under the cloud computing environment;
The characteristic information receiver module is used to receive the characteristic information that said each probe device is collected;
Information gathers and comparing module, be used for the characteristic information of collecting is gathered, and the characteristic information of the said target P E file that sends with said terminal is compared.
16. server according to claim 15, wherein, said information gathers and comparing module specifically comprises:
The characteristic information comparing unit is used for the characteristic information that characteristic information and said probe device with said target P E file return and compares;
The second file situation confirmation unit, if the characteristic information of the said target P E file that is used for said terminal sending is identical with the characteristic information that the said probe device that surpasses preset first ratio returns, then definite target P E file is not by virus infections; If the characteristic information of the said target P E file that send at said terminal is identical with the characteristic information that the said probe device that is lower than preset second ratio returns, confirm that then target P E file is by virus infections;
Said processing policy is distributed module and is also comprised:
The second download address generation unit, when being used for confirming target P E file by virus infections, the probe device source that has maximum similar proportion in the characteristic information that said probe device is returned generates the download address in this probe device source as the file loading source.
17. server according to claim 16; Wherein, The characteristic information of the said target P E file that the said second file situation confirmation unit also is used for sending when said terminal be higher than preset second ratio and be lower than characteristic information that the said probe device of first ratio returns when identical, affirmation target P E file is doubtful by virus infections;
Said processing policy is distributed module and is also comprised:
Doubtful infection Tip element is used for returning the doubtful infected prompting of expression file to said terminal.
18. the probe device based on cloud computing environment comprises:
The fileinfo receiver module is used for the associated documents information of the target P E file that the reception server section sends;
Characteristic information is collected module, is used at cloud computing environment the characteristic information of said target P E file being collected;
Characteristic information returns module, is used for returning to said server the characteristic information of said target P E file.
19. a file security disposal system comprises arbitrary described terminal of claim 9~11 and the arbitrary described server of claim 12~17, said terminal links to each other with said server.
20. file security disposal system according to claim 19, wherein also comprise with computing environment under the described probe device of a plurality of claims 18, said probe device links to each other with said server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110008701.6A CN102592103B (en) | 2011-01-17 | 2011-01-17 | Secure file processing method, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110008701.6A CN102592103B (en) | 2011-01-17 | 2011-01-17 | Secure file processing method, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102592103A true CN102592103A (en) | 2012-07-18 |
| CN102592103B CN102592103B (en) | 2015-04-08 |
Family
ID=46480722
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110008701.6A Active CN102592103B (en) | 2011-01-17 | 2011-01-17 | Secure file processing method, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102592103B (en) |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102789562A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| CN102831361A (en) * | 2012-08-14 | 2012-12-19 | 游艺春秋网络科技(北京)有限公司 | Leak prevention system for server |
| CN102982284A (en) * | 2012-11-30 | 2013-03-20 | 北京奇虎科技有限公司 | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing |
| CN103001947A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program processing method and program processing system |
| CN103118036A (en) * | 2013-03-07 | 2013-05-22 | 上海电机学院 | Cloud end based intelligent security protection system and method |
| CN103310154A (en) * | 2013-06-04 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Information security processing method, equipment and system |
| WO2014059854A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for repairing files |
| CN103780589A (en) * | 2012-10-24 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Virus prompting method, client-terminal device and server |
| CN103916858A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Mobile terminal health degree judgment method and apparatus |
| CN105224871A (en) * | 2015-09-22 | 2016-01-06 | 北京金山安全软件有限公司 | Virus removal method and device |
| CN105488403A (en) * | 2014-12-23 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Malicious code detection method and system based on unused fields in PE file |
| CN105844155A (en) * | 2013-06-28 | 2016-08-10 | 北京奇虎科技有限公司 | Macrovirus searching and killing method and system |
| CN106411891A (en) * | 2016-09-29 | 2017-02-15 | 北京小米移动软件有限公司 | File processing method, device, server-side and equipment |
| WO2017028517A1 (en) * | 2015-08-18 | 2017-02-23 | 华为技术有限公司 | Method for managing data file in cloud, cloud management point, and system |
| CN106934286A (en) * | 2015-12-31 | 2017-07-07 | 北京金山安全软件有限公司 | Safety diagnosis method and device and electronic equipment |
| CN106934276A (en) * | 2015-12-30 | 2017-07-07 | 北京金山安全软件有限公司 | Method and device for detecting security of mobile terminal system and mobile terminal |
| CN107330327A (en) * | 2017-06-02 | 2017-11-07 | 北京奇虎科技有限公司 | Infected file detection method, server, processing method, device and detecting system |
| CN107609359A (en) * | 2017-09-30 | 2018-01-19 | 北京深思数盾科技股份有限公司 | For protecting the method and system of software |
| CN107633173A (en) * | 2017-09-06 | 2018-01-26 | 广州金山安全管理系统技术有限公司 | Document handling method and device |
| CN108804917A (en) * | 2017-12-22 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | A kind of file test method, device, electronic equipment and storage medium |
| CN110263511A (en) * | 2018-08-15 | 2019-09-20 | 北京立思辰计算机技术有限公司 | The self-service introduction method of file and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079689A (en) * | 2006-05-26 | 2007-11-28 | 上海晨兴电子科技有限公司 | Method and device for virus scanning and processing of the data received by mobile phone |
| CN101308533A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Method, apparatus and system for virus checking and killing |
| CN101329711A (en) * | 2008-07-24 | 2008-12-24 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting computer file |
| CN101576834A (en) * | 2009-05-08 | 2009-11-11 | 西安蓝海本立信息科技有限公司 | System and method for protecting continuous data for establishing data view based on time stamp |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
-
2011
- 2011-01-17 CN CN201110008701.6A patent/CN102592103B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101079689A (en) * | 2006-05-26 | 2007-11-28 | 上海晨兴电子科技有限公司 | Method and device for virus scanning and processing of the data received by mobile phone |
| CN101308533A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Method, apparatus and system for virus checking and killing |
| CN101329711A (en) * | 2008-07-24 | 2008-12-24 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting computer file |
| CN101576834A (en) * | 2009-05-08 | 2009-11-11 | 西安蓝海本立信息科技有限公司 | System and method for protecting continuous data for establishing data view based on time stamp |
| CN101605074A (en) * | 2009-07-06 | 2009-12-16 | 中国人民解放军信息技术安全研究中心 | The method and system of communication behavioural characteristic monitoring wooden horse Network Based |
| CN101827096A (en) * | 2010-04-09 | 2010-09-08 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9268939B2 (en) | 2012-07-19 | 2016-02-23 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for determining virus-infected files |
| CN102789562A (en) * | 2012-07-19 | 2012-11-21 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| CN102789562B (en) * | 2012-07-19 | 2014-11-12 | 腾讯科技(深圳)有限公司 | Method and device for determining viral file |
| CN102831361A (en) * | 2012-08-14 | 2012-12-19 | 游艺春秋网络科技(北京)有限公司 | Leak prevention system for server |
| CN103778114A (en) * | 2012-10-17 | 2014-05-07 | 腾讯科技(深圳)有限公司 | System and method for file recovery |
| US9686310B2 (en) | 2012-10-17 | 2017-06-20 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for repairing a file |
| CN103778114B (en) * | 2012-10-17 | 2016-03-09 | 腾讯科技(深圳)有限公司 | File repair system and method |
| WO2014059854A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for repairing files |
| US9692783B2 (en) | 2012-10-24 | 2017-06-27 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for reporting a virus |
| CN103780589A (en) * | 2012-10-24 | 2014-05-07 | 腾讯科技(深圳)有限公司 | Virus prompting method, client-terminal device and server |
| CN103001947B (en) * | 2012-11-09 | 2015-09-30 | 北京奇虎科技有限公司 | A kind of program processing method and system |
| CN103001947A (en) * | 2012-11-09 | 2013-03-27 | 北京奇虎科技有限公司 | Program processing method and program processing system |
| CN102982284A (en) * | 2012-11-30 | 2013-03-20 | 北京奇虎科技有限公司 | Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing |
| CN102982284B (en) * | 2012-11-30 | 2016-04-20 | 北京奇虎科技有限公司 | For the scanning device of rogue program killing, cloud management equipment and method and system |
| CN103916858A (en) * | 2012-12-31 | 2014-07-09 | 中国移动通信集团广东有限公司 | Mobile terminal health degree judgment method and apparatus |
| CN103916858B (en) * | 2012-12-31 | 2017-08-11 | 中国移动通信集团广东有限公司 | A kind of mobile terminal health degree decision method and device |
| CN103118036A (en) * | 2013-03-07 | 2013-05-22 | 上海电机学院 | Cloud end based intelligent security protection system and method |
| CN103310154B (en) * | 2013-06-04 | 2016-12-28 | 腾讯科技(深圳)有限公司 | The method, apparatus and system that information security processes |
| CN103310154A (en) * | 2013-06-04 | 2013-09-18 | 腾讯科技(深圳)有限公司 | Information security processing method, equipment and system |
| CN105844155A (en) * | 2013-06-28 | 2016-08-10 | 北京奇虎科技有限公司 | Macrovirus searching and killing method and system |
| CN105488403A (en) * | 2014-12-23 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Malicious code detection method and system based on unused fields in PE file |
| WO2017028517A1 (en) * | 2015-08-18 | 2017-02-23 | 华为技术有限公司 | Method for managing data file in cloud, cloud management point, and system |
| CN105224871B (en) * | 2015-09-22 | 2018-09-25 | 北京金山安全软件有限公司 | Virus removal method and device |
| CN105224871A (en) * | 2015-09-22 | 2016-01-06 | 北京金山安全软件有限公司 | Virus removal method and device |
| CN106934276B (en) * | 2015-12-30 | 2020-02-28 | 北京金山安全软件有限公司 | Method and device for detecting security of mobile terminal system and mobile terminal |
| CN106934276A (en) * | 2015-12-30 | 2017-07-07 | 北京金山安全软件有限公司 | Method and device for detecting security of mobile terminal system and mobile terminal |
| CN106934286B (en) * | 2015-12-31 | 2020-02-04 | 北京金山安全软件有限公司 | Safety diagnosis method and device and electronic equipment |
| CN106934286A (en) * | 2015-12-31 | 2017-07-07 | 北京金山安全软件有限公司 | Safety diagnosis method and device and electronic equipment |
| CN106411891B (en) * | 2016-09-29 | 2019-12-06 | 北京小米移动软件有限公司 | File processing method and device, server and equipment |
| CN106411891A (en) * | 2016-09-29 | 2017-02-15 | 北京小米移动软件有限公司 | File processing method, device, server-side and equipment |
| CN107330327A (en) * | 2017-06-02 | 2017-11-07 | 北京奇虎科技有限公司 | Infected file detection method, server, processing method, device and detecting system |
| CN107330327B (en) * | 2017-06-02 | 2021-05-18 | 北京奇虎科技有限公司 | Infected file detection method, server, processing method, device and detection system |
| CN107633173A (en) * | 2017-09-06 | 2018-01-26 | 广州金山安全管理系统技术有限公司 | Document handling method and device |
| CN107633173B (en) * | 2017-09-06 | 2021-08-17 | 北京金山安全管理系统技术有限公司 | File processing method and device |
| CN107609359A (en) * | 2017-09-30 | 2018-01-19 | 北京深思数盾科技股份有限公司 | For protecting the method and system of software |
| CN108804917A (en) * | 2017-12-22 | 2018-11-13 | 哈尔滨安天科技股份有限公司 | A kind of file test method, device, electronic equipment and storage medium |
| CN108804917B (en) * | 2017-12-22 | 2022-03-18 | 安天科技集团股份有限公司 | File detection method and device, electronic equipment and storage medium |
| CN110263511A (en) * | 2018-08-15 | 2019-09-20 | 北京立思辰计算机技术有限公司 | The self-service introduction method of file and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102592103B (en) | 2015-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102592103B (en) | Secure file processing method, equipment and system | |
| CN102810138B (en) | A kind of restorative procedure of user side file and system | |
| US11068588B2 (en) | Detecting irregularities on a device | |
| CN1773417B (en) | System and method of aggregating the knowledge base of antivirus software applications | |
| US8667583B2 (en) | Collecting and analyzing malware data | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| JP5520291B2 (en) | Method and system for identifying file classification | |
| CN107786564B (en) | Attack detection method and system based on threat intelligence and electronic equipment | |
| KR101260028B1 (en) | Automatic management system for group and mutant information of malicious code | |
| CN108268354A (en) | Data safety monitoring method, background server, terminal and system | |
| CN102346828A (en) | Malicious program judging method based on cloud security | |
| JP6408395B2 (en) | Blacklist management method | |
| US20070078990A1 (en) | System for identifying the presence of Peer-to-Peer network software applications | |
| CN102984140B (en) | Malicious software feature fusion analytical method and system based on shared behavior segments | |
| KR101733000B1 (en) | Method and Apparatus for Collecting Cyber Incident Information | |
| CN101894225A (en) | The system and method for assembling the knowledge base of antivirus software applications | |
| CN110995640B (en) | Method for identifying network attack and honeypot protection system | |
| CN101924762A (en) | Cloud security-based active defense method | |
| CN101908116B (en) | Computer safeguard system and method | |
| CN103366117A (en) | Repairing method and system for files infected by infectious viruses | |
| EP3531324B1 (en) | Identification process for suspicious activity patterns based on ancestry relationship | |
| CN102968591A (en) | Malicious-software characteristic clustering analysis method and system based on behavior segment sharing | |
| CN104899510A (en) | Virus detecting and killing method for removable storage devices | |
| CN104871171A (en) | Distributed pattern discovery | |
| JP2011193343A (en) | Communications network monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |