CN102592103B - Secure file processing method, equipment and system - Google Patents

Secure file processing method, equipment and system Download PDF

Info

Publication number
CN102592103B
CN102592103B CN201110008701.6A CN201110008701A CN102592103B CN 102592103 B CN102592103 B CN 102592103B CN 201110008701 A CN201110008701 A CN 201110008701A CN 102592103 B CN102592103 B CN 102592103B
Authority
CN
China
Prior art keywords
file
described
target
characteristic information
information
Prior art date
Application number
CN201110008701.6A
Other languages
Chinese (zh)
Other versions
CN102592103A (en
Inventor
刘国萍
赵鹏
Original Assignee
中国电信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国电信股份有限公司 filed Critical 中国电信股份有限公司
Priority to CN201110008701.6A priority Critical patent/CN102592103B/en
Publication of CN102592103A publication Critical patent/CN102592103A/en
Application granted granted Critical
Publication of CN102592103B publication Critical patent/CN102592103B/en

Links

Abstract

The invention relates to a secure file processing method. The secure file processing method comprises the following steps: a terminal collects file attribute information of a local target PE (portable execute) file when the terminal starts the anti-virus function, and calculates a file feature code of the target PE file; the terminal transmits the feature information of the target PE file to a server; the server compares the received feature information with a preset standard file feature library to determine whether the target PE file is infected by virus, generates different processing strategies according to the determination result, and transmits the processing strategies to the terminal; and the terminal processes the target PE file according to the received processing strategies. The invention also relates to a secure file processing system, a terminal, a server and probe equipment. According to the invention, the method can clean file-type viruses and repair the infected files based on the cloud computing environment without frequently upgrading the virus feature library, can clean unknown viruses and repair the infected files, and has the advantage of less user terminal resource occupied.

Description

Secure file processing method, equipment and system

Technical field

The present invention relates to internet, applications technology and the communication technology, particularly relate to secure file processing method, equipment and system under a kind of cloud computing environment.

Background technology

Along with the deep development of all trades and professions IT application process, internet is more and more extensive in the application in each field.Along with the development of network technology and the prosperity of network economy, people are while utilizing internet to obtain all kinds of software resource and useful information, also someone utilizes between these resources computing machine on the internet and propagates each viroid, comprise Miscellaneous Documents type virus, network worm etc., steal useful data or information, destruction service or data to reach it, expend the hidden object such as system resource.

At present, the method for carrying out detection and Identification according to network traffics is had for network worm.And File Infector Virus is because parasitize in the useful program of user, and virus mutation is various, detection difficult, directly affects the use of user terminal during virus outburst, causes great inconvenience to user, brings very large risk also to its privacy and interests.

Existing most of checking and killing virus software carries out killing based on virus signature in conjunction with artificial mode.Store virus characteristic storehouse on the subscriber terminal, when antivirus engine carries out checking and killing virus, compare in program body with the condition code in feature database, judge whether to infect virus.If program file infects virus, then according to infection different situations, infected file being processed, as infected not too complicated virus, then recovering original program file by deleting viral code; Viral code as infected is more complicated, then can only delete whole program file or isolate this file.

For File Infector Virus killing technical scheme of the prior art, at least there are following four kinds of defects:

(1) frequent upgrading virus characteristic storehouse is needed: the virus characteristic storehouse that the viral code that terminal depends in program body the detection of virus and killing stores in advance with this locality, therefore along with viral code upgrades frequent, the viral code storehouse for anti-virus comparison also needs frequent upgrading;

(2) be difficult to identify unknown virus: the most crucial part of antivirus engine work is code comparison, and for when not having the virus of corresponding code to occur to infect in preset virus characteristic storehouse, antivirus engine then can only carry out some tentative killings according to the actual viral code in program body; To today that virus mutation becomes more diverse, traditional antivirus software is too tired to deal with;

(3) easily cause the file of infection unavailable: due to complicacy and the encryption of virus, even if usual anti-virus software identifies the viral code in program body, but be difficult to decrypt the valid data needed for recovery routine file due to the encryption technology complexity of viral code employing; Usual anti-virus software, in order to prevent virus subinfection again, can only adopt isolation or delete whole former documentary mode and process;

(4) occupying system resources is large: because the detection of virus, comparison, analysis and treament complete all on the subscriber terminal, therefore consume user terminal CPU and RAM resource large.

Summary of the invention

The object of the invention is to propose a kind of secure file processing method, equipment and system, killing can be carried out to File Infector Virus based on cloud computing environment, and the file infected is repaired, and virus characteristic storehouse of need not frequently upgrading, also killing can be carried out to unknown virus, and can infected file be repaired, take the resource of less user terminal.

For achieving the above object, the invention provides a kind of secure file processing method, comprising:

When terminal starts anti-virus functionality, gather the file attribute information that local target portable can perform PE file, and calculate the file eigenvalue of target P E file;

The characteristic information of described target P E file is sent to server by terminal, and described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;

The characteristic information of reception and preset normative document feature database are compared by described server, judge that whether described target P E file is by virus infections, and generate different processing policies according to judged result, and distribute described terminal;

Described terminal carries out the process of target P E file according to the described processing policy received.

For achieving the above object, the invention provides a kind of terminal based on cloud computing environment, comprising:

Attribute information acquisition module, for when described terminal starts anti-virus functionality, gathers the file attribute information of local target P E file;

Condition code computing module, for calculating the file eigenvalue of target P E file;

Characteristic information sending module, for the characteristic information of described target P E file is sent to server, described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;

Policy receipt module, for receiving the processing policy that described server returns;

Strategy processing module, for carrying out the process of target P E file according to the described processing policy received.

For achieving the above object, the invention provides a kind of server based on cloud computing environment, comprising:

Characteristic information receiver module, for the characteristic information of the target P E file that receiving terminal sends, described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;

Normative document feature database, for preserving condition code and the file attribute information of PE file general in internet and PE file;

Characteristic information comparing module, for the characteristic information of reception and preset normative document feature database being compared, judges that whether described target P E file is by virus infections;

Processing policy distributes module, for generating different processing policies according to judged result, and distributes described terminal.

For achieving the above object, the invention provides a kind of probe device based on cloud computing environment, comprising:

Fileinfo receiver module, for the associated documents information of the target P E file that reception server section sends;

Characteristic information collects module, for collecting the characteristic information of described target P E file in cloud computing environment;

Characteristic information returns module, for returning the characteristic information of described target P E file to described server.

For achieving the above object, present invention also offers a kind of file security disposal system, comprise aforementioned terminals and server, described terminal is connected with server.

Based on technique scheme, clean file on the PE file of this locality and internet to be compared according to the feature of resource sharing on internet and is carried out the killing of virus by the present invention, and can repair the file infected according to the clean file of internet, and virus characteristic storehouse of need not frequently upgrading, also killing can be carried out to unknown virus, killing process mainly completes at network side, therefore only need take the resource of less user terminal.

Accompanying drawing explanation

Accompanying drawing described herein is used to provide a further understanding of the present invention, and form a application's part, schematic description and description of the present invention, for explaining the present invention, does not form inappropriate limitation of the present invention.In the accompanying drawings:

Fig. 1 is the schematic flow sheet of an embodiment of secure file processing method of the present invention.

Fig. 2 is the schematic flow sheet of another embodiment of secure file processing method of the present invention.

Fig. 3 is the structural representation of an embodiment of file security disposal system of the present invention.

Fig. 4 is the structural representation of another embodiment of file security disposal system of the present invention.

Embodiment

Below by drawings and Examples, technical scheme of the present invention is described in further detail.

File Infector Virus in the present invention refers to PE file (the portableexecutable file that can infect on disk, Portable executable file, comprise system can perform or by link executable file, as COM, EXE, SYS and dll file) virus.The usual file attribute of this class file is relatively fixing, is also the master file type that parasitics file virus is implemented to infect.File Infector Virus infect mainly by revise file specific part code (as EXE file header the 02nd, 04, the value of the word of 0E, 10H, 14H, 16H) mode and when viral code being inserted file body and program file is run viral code had precedence over the execution of program file and resided at internal memory.

Internet era the File Infector Virus main path that infects be resource sharing on internet between user terminal, therefore theoretical foundation of the present invention is also that PE file in user terminal on internet all can find respective copies on the internet, and on internet PE file (clean file) probability of obtainable uninfection more than infected PE file.In addition, user can not revise the code of PE file usually.

As described in Figure 1, be the schematic flow sheet of an embodiment of secure file processing method of the present invention.In the present embodiment, file security treatment scheme comprises:

Step 101, when terminal starts anti-virus functionality, gather the file attribute information that local target portable can perform PE file, and calculate the file eigenvalue of target P E file;

The characteristic information of described target P E file is sent to server by step 102, terminal, and described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;

The characteristic information of reception and preset normative document feature database are compared by step 103, described server, judge that whether described target P E file is by virus infections;

Step 104, described server generate different processing policies according to judged result, and distribute described terminal;

Step 105, described terminal carry out the process of target P E file according to the described processing policy received.

In the present embodiment, the function of Viral diagnosis no longer carries out killing by the antivirus engine of terminal local, but carry out killing by the server of network side, this mode does not need frequently to upgrade to the antivirus engine of terminal local and virus base, and the main working process of killing is also main completes at network side, so not only save the resource such as the CPU shared by checking and killing virus and internal memory of end side greatly, also make use of the express-analysis processing power under cloud computing environment fully.This mode is particularly useful for the limited mobile terminal of some functional resources.

From the mode of killing, present invention employs the method for the direct comparison of characteristic information sent with the characteristic information of the clean file preserved in normative document feature database and terminal, this method is not the angle from identifying virus code, but directly judge whether target P E file infects, the mode of this Viral diagnosis is more directly perceived efficient, for the situation of variation of constantly updating viral on current network, still can accurately judge that whether file is infected.

In the present embodiment, the characteristic information of target P E file is sent to server by the terminal of step 102, wherein characteristic information comprises the modification information of file attribute information, and this modification information is mainly combined with the current file attribute of target P E file the source document attribute information determining target P E file.This modification information needs terminal constantly to follow the tracks of and record.

In another embodiment, see Fig. 2, contrast judgement process can specifically comprise the following steps in step 103:

Step 201, server are according to the file attribute information of target P E file received and the source document attribute information of file attribute change record determination target P E file; File attribute information can comprise the information such as filename, extension name, file creation time and file size, can increase above-mentioned file attribute information or delete as required.

The file eigenvalue of target P E file and source document attribute information are compared with the file eigenvalue of normative document feature database file and file attribute information by step 202, server respectively; Normative document feature database can preserve the file eigenvalue calculated by file in advance, and without the need to recalculating when each comparison, which also improves comparison efficiency.

If step 203 file eigenvalue and file attribute information completely the same, then determine that target P E file is not by virus infections;

If step 204 file attribute information is consistent, and file eigenvalue is inconsistent, then determine that target P E file is by virus infections.

For different judged results, server will produce different processing policies, for the target P E file confirmed in step 203 not by the situation of virus infections, then can perform step 205; For the target P E file confirmed in step 204 by the situation of virus infections, then step 206 can be performed;

Step 205, server do not process or return to terminal and represent the not infected prompting of file;

Step 206, server generate the download address of file corresponding in normative document feature database, and are issued to terminal.

For the situation that file attribute information is inconsistent, that is in mark file characteristic library, do not find the file corresponding to source document attribute information of target P E file, now the associated documents information of target P E file can be sent to each probe device (step 207) under cloud computing environment by server, here associated documents information can be the file attribute information of target P E file and the change record of file attribute, or the source document attribute information of target P E file;

Step 208, probe device are collected the characteristic information of described target P E file in cloud computing environment, and send to described server;

Step 209, server gather the characteristic information collected, and the characteristic information of the described target P E file sent with described terminal is compared.

In step 209 during server comparison characteristic information, if the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information that the described probe device exceeding default first ratio a% (such as > 70%) returns, then determine target P E file not by virus infections (step 210), perform step 212; If the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information returned lower than the described probe device presetting the second ratio b% (such as < 50%), then determine that target P E file is by virus infections (step 211), perform step 213.

Step 212, server do not process or return to terminal and represent the not infected prompting of file;

There is the probe device source of maximum similar proportion as file download source in the characteristic information that described probe device returns by step 213, server, then the download address in described probe device source is issued described terminal.

If the characteristic information of the described target P E file that described terminal sends with higher than default second ratio and lower than the first ratio (such as > 50%, and < 70%) the characteristic information that returns of described probe device identical, then can confirm that target P E file is doubtful by virus infections (step 214), and return the doubtful infected prompting of expression file to described terminal, then there is the probe device source of maximum similar proportion as file download source in the characteristic information returned by described probe device according to the operation of described terminal, then the download address in described probe device source is issued described terminal (step 215).

In the above embodiments, probe device is responsible for when the normative document feature database of server does not preserve the clean file corresponding to target P E file, search under cloud computing environment, due to many probes can be disposed, the carrying out that these probes walk abreast is searched for, therefore not only wider scope can be searched in internet, and the efficiency of search is also higher, server gathers according to probe device backout feature information, its thinking gathered also mainly judges whether ratio that characteristic information that probe device returns is identical with the characteristic information of target P E file can reach the certain proportion of the characteristic information of similar total reporting file.Refer to above the present invention based on the infected theoretical foundation of file be that the probability of the obtainable PE of infection file on internet is higher than infected PE file, therefore gather comparison process by this, server can determine with higher accuracy rate that whether target P E file is infected.

Gathering in comparison process, the first ratio adopted and the second ratio are not limited to the example of above-mentioned lifted 50%, 70%, but constantly can adjust according to using the statistics of result, to keep higher judging nicety rate.In addition, if when comparison be just the first ratio or the second ratio, judged result can be selected according to actual conditions, the ratio that the characteristic information such as returned when probe device is identical with the characteristic information of target P E file reaches 50% of the characteristic information of similar total reporting file just, then can confirm as and not infect, also can confirm as suspected infection.

The situation whether target P E file infects directly can not be determined for some, this situation is defined as doubtful infected by the present invention, and this information is prompted to user, independently judged by user, if user believes firmly that this target P E file is clean file, then without the need to what process, if user can not conclude that whether this target P E file is infected, and worry the threat of virus to system, source probe corresponding to the characteristic information of the maximum similar proportion that probe is found out can be obtained from server, to download corresponding file by source probe replacing local target P E file.The normative document feature database that the file (being namely identified as clean file) that the characteristic information of the maximum similar proportion that probe device finds out is corresponding can download to server is preserved, thus constantly normative document feature database is expanded, for user provides checking and killing virus function more easily.

One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that programmed instruction is relevant, aforesaid program can be stored in a computer read/write memory medium, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.

As shown in Figure 3, be the structural representation of an embodiment of file security disposal system of the present invention.In the present embodiment, file security disposal system comprises connected terminal 1 and server 2.Terminal 1 and server 2 are all the equipment based on cloud computing environment, and terminal 1 can be all kinds of computing machines of deploying client, also can be the mobile devices deploying client.Server 2 is the equipment being deployed in network side, can be the equipment focused on, and also can be that multiple devices carry out distributed treatment.

Terminal 1 can specifically comprise: attribute information acquisition module 11, condition code computing module 12, characteristic information sending module 13, Policy receipt module 14 and tactful processing module 15.Wherein attribute information acquisition module 11 is responsible for, when described terminal starts anti-virus functionality, gathering the file attribute information of local target P E file.Condition code computing module 12 is responsible for the file eigenvalue calculating target P E file.Characteristic information sending module 13 is responsible for the characteristic information of described target P E file to be sent to server, and described characteristic information comprises file eigenvalue, file attribute information and file attribute change record.Policy receipt module 14 is responsible for the processing policy that the described server of reception returns.Strategy processing module 15 is responsible for the process carrying out target P E file according to the described processing policy received.

In another embodiment, terminal can also comprise modification information logging modle, and this module in charge is followed the tracks of and the operation of the modification information of the file attribute information of record object PE file.

Server 2 specifically comprises: characteristic information receiver module 21, normative document feature database 22, characteristic information comparing module 23 and processing policy distribute module 24.Wherein, characteristic information receiver module 21 is responsible for the characteristic information of the target P E file that receiving terminal sends, and described characteristic information comprises file eigenvalue, file attribute information and file attribute change record.Normative document feature database 22 is responsible for condition code and the file attribute information of preserving general PE file and PE file in internet.Characteristic information comparing module 23 is responsible for the characteristic information of reception and preset normative document feature database 22 to compare, and judges that whether described target P E file is by virus infections.Processing policy distributes module 24 and is responsible for generating different processing policies according to judged result, and distributes described terminal.

In another embodiment, compared with a upper embodiment, the characteristic information comparing module 23 in server 2 can specifically comprise: attribute information determining unit, condition code comparing unit, attribute information comparing unit and the first file situation confirmation unit.Attribute information determining unit is used for the source document attribute information determining described target P E file according to the file attribute information of target P E file received and file attribute change record.Condition code comparing unit is used for the file eigenvalue of the file eigenvalue of described target P E file and described normative document feature database 22 file to compare.Attribute information comparing unit is used for the file attribute information of the source document attribute information of described target P E file and described normative document feature database 22 file to compare.If the first file situation confirmation unit is used for described file eigenvalue and file attribute information is completely the same, then determine that described target P E file is not by virus infections; If described file attribute information is consistent, and described file eigenvalue is inconsistent, then determine that described target P E file is by virus infections.

Processing policy in server 2 distributes module 24 and can specifically comprise: do not infect Tip element, the first download address generation unit and address and issue unit.Do not infect Tip element when being used for determining target P E file not by virus infections, return to terminal and represent the not infected prompting of file.When first download address generation unit is used for determining target P E file by virus infections, generate the download address of file corresponding in described normative document feature database 22.Address issues unit for described download address is issued to described terminal.

Accordingly, the tactful processing module 16 of terminal 1 can specifically comprise: file isolated location, file erase unit and clean file download unit.File isolated location is for isolating by virus infections or doubtful by the target P E file of virus infections.File erase unit is for deleting by virus infections or doubtful by the target P E file of virus infections.The download address that clean file download unit is used for the clean file provided according to described server carries out file download.

As shown in Figure 4, be the structural representation of another embodiment of file security disposal system of the present invention.Compared with a upper embodiment, the present embodiment also add the probe device 3 based on cloud computing environment, and this probe device 3 specifically comprises fileinfo receiver module 31, characteristic information collects module 32 and characteristic information returns module 33.Wherein fileinfo receiver module 31 is responsible for the associated documents information of the target P E file that reception server section sends.Characteristic information is collected module 32 and is responsible for collecting the characteristic information of described target P E file in cloud computing environment.Characteristic information returns the characteristic information that module 33 is responsible for returning to described server described target P E file.

Accordingly, server 2 can also comprise: file collection instruction issues module 25, characteristic information receiver module 26 and information gathers and comparing module 27.Wherein, file collect instruction issue module 25 in described normative document feature database, do not find described target P E file source document attribute information corresponding to file time, the associated documents information of described target P E file is sent to the probe device 3 under cloud computing environment.The characteristic information that characteristic information receiver module 26 is collected for receiving each probe device 3 described.Information gather and comparing module 27 for gathering the characteristic information collected, and the characteristic information of the described target P E file sent with described terminal is compared.

Further, information gathers and comparing module can specifically comprise: characteristic information comparing unit, compares for the characteristic information characteristic information of described target P E file and described probe device returned; Second file situation confirmation unit, if identical with the characteristic information that the described probe device exceeding default first ratio returns for the characteristic information of the described target P E file of described terminal transmission, then determines that target P E file is not by virus infections; If the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information that the described probe device lower than second ratio of presetting returns, then determine that target P E file is by virus infections.Wherein, described second file situation confirmation unit can also be used for, when the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information returned higher than second ratio of presetting and lower than the described probe device of the first ratio, confirming that target P E file is doubtful by virus infections.

Described processing policy distributes module and can also comprise: the second download address generation unit, during for determining target P E file by virus infections, the probe device source in the characteristic information that described probe device is returned with maximum similar proportion, as file download source, generates the download address in this probe device source.Wherein, described processing policy distributes module and can also comprise: suspected infection Tip element, represents the doubtful infected prompting of file for returning to described terminal.

In sum, secure file processing method provided by the present invention and system embodiment have advance in technical concept, based on the employing of cloud computing environment, improve the pick-up rate of file destination search on the one hand, improve the efficiency of checking and killing virus on the other hand, dramatically reduce the resource occupation of client.

The present invention is looking into comparatively novel uniqueness in viricidal method, is mainly reflected in following three aspects:

1, the thinking of checking and killing virus is not start with from virus signature, but comes to contrast with the clean file on internet according to the feature of resource sharing on internet.This thought of coping with shifting events by sticking to a fundamental principle solves virus and constantly updates and be difficult to detect and the problem of killing.

2, infecting processing policy is no longer resemble only to rely on local antivirus engine processing power traditional anti-virus software and by infected file isolation or delete, but fully by the feature of internet environment resource sharing, the reparation file destination infected being carried out to internet type is replaced.

3, the collection probe that system architecture of the present invention is a large amount of under making full use of cloud computing environment and the express-analysis processing power of cloud computing platform, quick generating process strategy also feeds back to client, takies few to client resource.

Along with the development of 3G application, the virus problems on intelligent terminal can be increasingly outstanding.The present invention will be particularly useful for the checking and killing virus on mobile terminal, play larger effect.And if the present invention integrates with the cloud computing platform of telecom operators, then the Internet user that also can be telecom operators provides cloud security service.

Finally should be noted that: above embodiment is only in order to illustrate that technical scheme of the present invention is not intended to limit; Although with reference to preferred embodiment to invention has been detailed description, those of ordinary skill in the field are to be understood that: still can modify to the specific embodiment of the present invention or carry out equivalent replacement to portion of techniques feature; And not departing from the spirit of technical solution of the present invention, it all should be encompassed in the middle of the technical scheme scope of request of the present invention protection.

Claims (14)

1. a secure file processing method, comprising:
When terminal starts anti-virus functionality, gather the file attribute information that local target portable can perform PE file, and calculate the file eigenvalue of target P E file;
The characteristic information of described target P E file is sent to server by terminal, and described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;
The characteristic information of reception and the preset normative document feature database preserving clean file are compared by described server, judge that whether described target P E file is by virus infections;
If determine that target P E file is not by virus infections, then do not process or return the not infected prompting of expression file;
If determine that target P E file is by virus infections, then generate the download address of file corresponding in described normative document feature database, and be issued to described terminal;
Described terminal carries out the process of target P E file according to the processing policy received;
Wherein, the characteristic information of reception and preset normative document feature database are compared by described server, judge whether described target P E file is specially by the operation of virus infections:
Described server determines the source document attribute information of described target P E file according to the file attribute information of the target P E file received and file attribute change record;
The file eigenvalue of described target P E file and source document attribute information are compared with the file eigenvalue of described normative document feature database file and file attribute information by described server respectively;
If described file eigenvalue and file attribute information completely the same, then determine that described target P E file is not by virus infections;
If described file attribute information is consistent, and described file eigenvalue is inconsistent, then determine that described target P E file is by virus infections.
2. secure file processing method according to claim 1, wherein, also comprises: tracking terminal the operation of the modification information of the file attribute information of record object PE file.
3. secure file processing method according to claim 1, wherein, if do not find the file corresponding to source document attribute information of described target P E file in described normative document feature database, then the associated documents information of described target P E file is sent to each probe device under cloud computing environment by described server;
Described probe device is collected the characteristic information of described target P E file in cloud computing environment, and sends to described server;
Described server gathers the characteristic information collected, and the characteristic information of the described target P E file sent with described terminal is compared.
4. secure file processing method according to claim 3, wherein said server is when comparison characteristic information, if the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information that the described probe device exceeding default first ratio returns, then determine that target P E file is not by virus infections, then do not process or return the not infected prompting of expression file; If the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information that the described probe device lower than second ratio of presetting returns, then determine that target P E file is by virus infections, and there is the probe device source of maximum similar proportion as file download source in the characteristic information returned by described probe device, then the download address in described probe device source is issued described terminal.
5. secure file processing method according to claim 4, if the characteristic information of the described target P E file of wherein described terminal transmission is identical with the characteristic information returned higher than second ratio of presetting and lower than the described probe device of the first ratio, then confirm that target P E file is doubtful by virus infections, and return the doubtful infected prompting of expression file to described terminal, then there is the probe device source of maximum similar proportion as file download source in the characteristic information returned by described probe device according to the operation of described terminal, then the download address in described probe device source is issued described terminal.
6., according to the arbitrary described secure file processing method of Claims 1 to 5, the file attribute information of wherein said target P E file comprises filename, extension name, file creation time and file size.
7., based on a server for cloud computing environment, comprising:
Characteristic information receiver module, for the characteristic information of the target P E file that receiving terminal sends, described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;
Normative document feature database, for preserving condition code and the file attribute information of PE file clean in internet and PE file;
Characteristic information comparing module, for the characteristic information of reception and preset normative document feature database being compared, judges that whether described target P E file is by virus infections;
Processing policy distributes module, for generating different processing policies according to judged result, and distributes described terminal;
Wherein, described processing policy distributes module and specifically comprises:
Do not infect Tip element, during for determining target P E file not by virus infections, returning to terminal and representing the not infected prompting of file;
First download address generation unit, during for determining target P E file by virus infections, generates the download address of file corresponding in described normative document feature database;
Address issues unit, for described download address is issued to described terminal,
Wherein, described characteristic information comparing module specifically comprises:
Attribute information determining unit, for determining the source document attribute information of described target P E file according to the file attribute information of target P E file received and file attribute change record;
Condition code comparing unit, for comparing the file eigenvalue of the file eigenvalue of described target P E file and described normative document feature database file;
Attribute information comparing unit, for comparing the file attribute information of the source document attribute information of described target P E file and described normative document feature database file;
First file situation confirmation unit, if for described file eigenvalue and file attribute information completely the same, then determine that described target P E file is not by virus infections; If described file attribute information is consistent, and described file eigenvalue is inconsistent, then determine that described target P E file is by virus infections.
8. server according to claim 7, wherein, also comprises:
File is collected instruction and is issued module, for in described normative document feature database, do not find described target P E file source document attribute information corresponding to file time, the associated documents information of described target P E file is sent to each probe device under cloud computing environment;
Characteristic information receiver module, for receiving the characteristic information that each probe device described is collected;
Information gathers and comparing module, and for gathering the characteristic information collected, and the characteristic information of the described target P E file sent with described terminal is compared.
9. server according to claim 8, wherein, described information gathers and comparing module specifically comprises:
Characteristic information comparing unit, compares for the characteristic information characteristic information of described target P E file and described probe device returned;
Second file situation confirmation unit, if identical with the characteristic information that the described probe device exceeding default first ratio returns for the characteristic information of the described target P E file of described terminal transmission, then determines that target P E file is not by virus infections; If the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information that the described probe device lower than second ratio of presetting returns, then determine that target P E file is by virus infections;
Described processing policy distributes module and also comprises:
Second download address generation unit, during for determining target P E file by virus infections, the probe device source in the characteristic information that described probe device is returned with maximum similar proportion, as file download source, generates the download address in this probe device source.
10. server according to claim 9, wherein, described second file situation confirmation unit also for when the characteristic information of the described target P E file that described terminal sends is identical with the characteristic information returned higher than second ratio of presetting and lower than the described probe device of the first ratio, confirms that target P E file is doubtful by virus infections;
Described processing policy distributes module and also comprises:
Suspected infection Tip element, represents the doubtful infected prompting of file for returning to described terminal.
11. 1 kinds of file security disposal systems, comprise based on the server described in the terminal of cloud computing environment and any one of claim 7 ~ 10, described terminal is connected with described server,
Described terminal comprises:
Attribute information acquisition module, for when described terminal starts anti-virus functionality, gathers the file attribute information of local target P E file;
Condition code computing module, for calculating the file eigenvalue of target P E file;
Characteristic information sending module, for the characteristic information of described target P E file is sent to server, described characteristic information comprises file eigenvalue, file attribute information and file attribute change record;
Policy receipt module, for receiving the processing policy that described server returns;
Strategy processing module, for carrying out the process of target P E file according to the described processing policy received.
12. file security disposal systems according to claim 11, wherein, described terminal also comprises:
Modification information logging modle, for following the tracks of and the operation of the modification information of the file attribute information of record object PE file.
13. file security disposal systems according to claim 11, wherein, described tactful processing module specifically comprises:
File isolated location, for isolating by virus infections or doubtful by the target P E file of virus infections;
File erase unit, for deleting by virus infections or doubtful by the target P E file of virus infections;
Clean file download unit, the download address for the clean file provided according to described server carries out file download.
14. file security disposal systems according to claim 11, wherein also comprise multiple probe device based on cloud computing environment, and described probe device is connected with described server,
Described probe device comprises:
Fileinfo receiver module, for the associated documents information of the target P E file that reception server end sends;
Characteristic information collects module, for collecting the characteristic information of described target P E file in cloud computing environment;
Characteristic information returns module, for returning the characteristic information of described target P E file to described server.
CN201110008701.6A 2011-01-17 2011-01-17 Secure file processing method, equipment and system CN102592103B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110008701.6A CN102592103B (en) 2011-01-17 2011-01-17 Secure file processing method, equipment and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110008701.6A CN102592103B (en) 2011-01-17 2011-01-17 Secure file processing method, equipment and system

Publications (2)

Publication Number Publication Date
CN102592103A CN102592103A (en) 2012-07-18
CN102592103B true CN102592103B (en) 2015-04-08

Family

ID=46480722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110008701.6A CN102592103B (en) 2011-01-17 2011-01-17 Secure file processing method, equipment and system

Country Status (1)

Country Link
CN (1) CN102592103B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102789562B (en) 2012-07-19 2014-11-12 腾讯科技(深圳)有限公司 Method and device for determining viral file
CN102831361B (en) * 2012-08-14 2015-04-08 游艺春秋网络科技(北京)有限公司 Leak prevention system for server
CN103778114B (en) * 2012-10-17 2016-03-09 腾讯科技(深圳)有限公司 File repair system and method
CN103780589A (en) 2012-10-24 2014-05-07 腾讯科技(深圳)有限公司 Virus prompting method, client-terminal device and server
CN103001947B (en) * 2012-11-09 2015-09-30 北京奇虎科技有限公司 A kind of program processing method and system
CN102982284B (en) * 2012-11-30 2016-04-20 北京奇虎科技有限公司 For the scanning device of rogue program killing, cloud management equipment and method and system
CN103916858B (en) * 2012-12-31 2017-08-11 中国移动通信集团广东有限公司 A kind of mobile terminal health degree decision method and device
CN103118036A (en) * 2013-03-07 2013-05-22 上海电机学院 Cloud end based intelligent security protection system and method
CN103310154B (en) * 2013-06-04 2016-12-28 腾讯科技(深圳)有限公司 The method, apparatus and system that information security processes
CN105844155B (en) * 2013-06-28 2019-04-26 北京奇虎科技有限公司 Macro-virus searching and killing method and system
CN105488403A (en) * 2014-12-23 2016-04-13 哈尔滨安天科技股份有限公司 Malicious code detection method and system based on unused fields in PE file
CN106469281B (en) * 2015-08-18 2020-01-17 华为技术有限公司 Management method of data files in cloud, cloud management point and system
CN105224871B (en) * 2015-09-22 2018-09-25 北京金山安全软件有限公司 A kind of virus extermination method and device
CN106934276B (en) * 2015-12-30 2020-02-28 北京金山安全软件有限公司 Method and device for detecting security of mobile terminal system and mobile terminal
CN106934286B (en) * 2015-12-31 2020-02-04 北京金山安全软件有限公司 Safety diagnosis method and device and electronic equipment
CN106411891B (en) * 2016-09-29 2019-12-06 北京小米移动软件有限公司 File processing method and device, server and equipment
CN107330327A (en) * 2017-06-02 2017-11-07 北京奇虎科技有限公司 Infected file detection method, server, processing method, device and detecting system
CN107609359B (en) * 2017-09-30 2019-05-03 北京深思数盾科技股份有限公司 For protecting the method and system of software

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101329711A (en) * 2008-07-24 2008-12-24 成都市华为赛门铁克科技有限公司 Method and apparatus for detecting computer file

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100574181C (en) * 2006-05-26 2009-12-23 上海晨兴电子科技有限公司 Mobile phone is received method and the device that data are carried out virus scan and processing
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
CN101576834B (en) * 2009-05-08 2012-05-30 西安蓝海本立信息科技有限公司 System and method for protecting continuous data for establishing data view based on time stamp
CN101605074B (en) * 2009-07-06 2012-09-26 中国人民解放军信息技术安全研究中心 Method and system for monitoring Trojan Horse based on network communication behavior characteristic
CN101827096B (en) * 2010-04-09 2012-09-05 潘燕辉 Cloud computing-based multi-user collaborative safety protection system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101329711A (en) * 2008-07-24 2008-12-24 成都市华为赛门铁克科技有限公司 Method and apparatus for detecting computer file

Also Published As

Publication number Publication date
CN102592103A (en) 2012-07-18

Similar Documents

Publication Publication Date Title
US10437997B2 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software as well as clean software through intelligent rescanning
US20190190937A1 (en) Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data
US9916447B2 (en) Active defense method on the basis of cloud security
JP6522707B2 (en) Method and apparatus for coping with malware
US9715588B2 (en) Method of detecting a malware based on a white list
CN105474678B (en) For the concentration selection application license of mobile device
US9258316B1 (en) Systems and methods for generating reputation-based ratings for uniform resource locators
US10193929B2 (en) Methods and systems for improving analytics in distributed networks
US9946880B2 (en) Software vulnerability analysis method and device
US10033748B1 (en) System and method employing structured intelligence to verify and contain threats at endpoints
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
Dumitraş et al. Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE)
CN102332072B (en) System and method for detection of malware and management of malware-related information
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
KR101693370B1 (en) Fuzzy whitelisting anti-malware systems and methods
JP5809084B2 (en) network security system and method
US9065826B2 (en) Identifying application reputation based on resource accesses
US8955124B2 (en) Apparatus, system and method for detecting malicious code
CN101986323B (en) Method and system for detection of previously unknown malware
CN102664875B (en) Malicious code type detection method based on cloud mode
AU2007273085B2 (en) System and method of analyzing web content
CN102483780B (en) Anti-virus scan
EP2807598B1 (en) Identifying trojanized applications for mobile environments
Cha et al. SplitScreen: Enabling efficient, distributed malware detection
US8205255B2 (en) Anti-content spoofing (ACS)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant