Summary of the invention
In view of this, the application's technical matters to be solved has provided a kind of Ile repair method and system, can find the backup file bag at backup file place, can download accordingly backup file to replace infected file.
In order to solve the problems of the technologies described above, the application provides a kind of Ile repair method, comprising: client is determined to be infected the infected file that forms by malicious code, and obtains the attribute information of described infected file; Described client sends the attribute information of described infected file and inquires about and obtain Query Result to server, and described Query Result comprises the attribute information of at least one association backup file that described server is collected; Described client is according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, extract and download backup file in the backup file bag that mates to substitute described infected file from described server, described association backup file and described backup file are stored in the same backup file bag.
Further, the attribute information of described infected file comprises: the storing directory attribute information of the correspondence of described infected file and the basic operating system attribute information of described infected file operation, the file name information that described infected file is corresponding, the browser attribute information that described infected file is corresponding, the service packs information that described infected file is corresponding, the timestamp of described infected file.
Further, the attribute information that described client sends described infected file to inquire about and to obtain Query Result, further comprises in the server: the query interface that the attribute information that sends described infected file configures in the server; By the query interface that configures in the described server, inquire about and obtain Query Result in the backup file information bank in described server, store the tabulation of service packs information list and browser data packet information in the described backup file information bank.
Further, described client sends the attribute information of described infected file and inquires about and obtain Query Result to server, comprise: judge according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system, if so, then inquire about the Query Result that obtains correspondence in the backup file information bank in described server; Otherwise, return the failed result of inquiry.
Further, judge according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system, comprise: determine whether the executable file relevant with operating system according to the signing messages in the basic operating system attribute information of storing directory attribute information corresponding to described infected file and the operation of described infected file, the attribute information of described infected file comprises the storing directory attribute information of correspondence of described infected file and the basic operating system attribute information that described infected file moves.
Further, if described infected file is the executable file relevant with operating system, then Query Result is inquired about and obtained to the described client attribute information that sends described infected file to server, comprise: according to the attribute information of described infected file, from the backup file information bank of described server, inquire about respectively service packs information list and the tabulation of browser data package informatin of corresponding described association backup file; Wherein, the tabulation of the service packs information list of described association backup file and browser data package informatin includes: the basic operating system attribute information of the file name information that described association backup file is corresponding, the storing directory attribute information that described association backup file is corresponding, described association backup running paper, the browser attribute information that described association backup file is corresponding, the service packs information that described association backup file is corresponding; Wherein, the attribute information of described infected file comprises: the service packs information corresponding to browser attribute information, described infected file corresponding to basic operating system attribute information, described infected file of the file name information that described infected file is corresponding, the storing directory attribute information that described infected file is corresponding, the operation of described infected file.
Further, if in the backup file information bank of described server, only inquire the service packs information list of corresponding described association backup file, then Query Result is inquired about and obtained to the described client attribute information that sends described infected file to server, comprise: according to the timestamp of described infected file and the timestamp of the corresponding described association backup file of described service packs information list, generate the first catalogue relevance weight of list directory in the described service packs information list, generate the correspondence of the corresponding described association backup file of described service packs information list and described infected file according to described the first catalogue relevance weight, in order to inquire about and obtain and download corresponding described backup file at described server, the attribute information of described infected file comprises the timestamp of described infected file.
Further, described client is according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, download backup file in the backup file bag that from described server, mates to substitute described infected file, comprise: select candidate list catalogue corresponding in the described service packs information list to generate download address according to described the first catalogue relevance weight, download corresponding described backup file according to this download address client from described server, wherein, in corresponding described association backup file and the related same backup service packs of described backup file association store in described server.
Further, if in the backup file information bank of described server, only inquire the browser data package informatin tabulation of corresponding described association backup file, then Query Result is inquired about and obtained to the described client attribute information that sends described infected file to server, comprise: according to the tabulate timestamp of corresponding described association backup file of timestamp and the described browser data package informatin of described infected file, generate the second catalogue relevance weight of list directory in the described browser data package informatin tabulation, determine the tabulate correlativity of corresponding described backup file and described infected file of described browser data package informatin according to the second catalogue relevance weight, in order to inquire about and obtain and download corresponding described backup file at described server.
Further, described client is according to the attribute information of described infected file, from described Query Result, hit the backup file that is complementary with self, and from described server, download backup file to substitute described infected file, comprise: select candidate list catalogue generation download address corresponding in the described browser data package informatin tabulation according to described the second catalogue relevance weight, client is downloaded corresponding described backup file according to this download address from described server, and corresponding described association backup file and corresponding described backup file leave in the same backup browser packet in the described server.
Further, if in the backup file information bank of described server, all inquire service packs information list and the tabulation of browser data package informatin of corresponding described association backup file, then Query Result is inquired about and obtained to the described client attribute information that sends described infected file to server, comprise: according to the timestamp of described infected file and the timestamp of the corresponding described association backup file of described service packs information list, generate the first catalogue relevance weight of list directory in the described service packs information list and calculate described service packs information list first the tabulation relevance weight; According to the tabulate timestamp of corresponding described association backup file of the timestamp of described infected file and described browser data package informatin, generate the second catalogue relevance weight of list directory in the described browser data package informatin tabulation and calculate the second tabulation relevance weight of described browser data package informatin tabulation; According to the first tabulation relevance weight of described service packs information list and the second tabulation relevance weight of described browser data package informatin tabulation, select candidate's download list as Query Result.
Further, described client is according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, download backup file in the backup file bag that from described server, mates to substitute described infected file, described association backup file and described backup file are stored in the same backup file bag, comprise: select candidate list catalogue in described candidate's download list, download described association backup file corresponding to candidate list catalogue from described server, the described association backup file that described backup file is corresponding with the candidate list catalogue leaves in same backup service packs and the same backup browser packet, and described backup service packs and backup browser packet are stored in the backup file storehouse of described server.
Further, described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file is in the equal list directory of the timestamp of described infected file; Perhaps, the candidate list catalogue of described correspondence is: in described candidate's download list, the timestamp of described association backup file is greater than the list directory of the timestamp of described infected file.
Further, described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file equals the list directory of the timestamp of described infected file, and judges that according to the version number of file described backup file corresponding to described candidate list catalogue is formal version.
Further, if in the backup file information bank of described server, all do not inquire service packs information list and the tabulation of browser data package informatin of corresponding described association backup file, then Query Result is inquired about and obtained to the described client attribute information that sends described infected file to server, comprising:
Obtain the raw data packets of depositing the corresponding raw data of described backup file;
With the timestamp of the file of association backup described in the server early than the raw data packets of the timestamp of described infected file as Query Result, described raw data packets is stored in the backup file storehouse of described server.
Further, state client according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, download backup file in the backup file bag that from described server, mates to substitute described infected file, comprise: according to the raw data packets generation download address of the timestamp of association backup file described in the raw data packets in the described server early than the timestamp of described infected file, according to this download address client, download with described association backup file from described server and to be stored in described backup file the same backup file bag, to replace described infected file.
In order to solve the problems of the technologies described above, the application also provides a kind of file repair system, comprise: client and server, described client is used for determining to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file, and the attribute information that sends described infected file inquires about and obtains Query Result to server, and described Query Result comprises the attribute information of at least one association backup file that described server is collected; Described client is according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, download backup file in the backup file bag that mates to substitute described infected file from described server, described association backup file and described backup file are stored in the same backup file bag.
Further, described server comprises: query interface, for the attribute information that receives the described infected file that sends; The backup file information bank, the information that is used for preserving backup file is with the backup file of determining self to adapt with described infected file.
Further, described server comprises: download interface, and that be used for hitting from described Query Result and association backup file described infected file coupling, and the backup file bag of the coupling of determining generates the chained address of downloading; Download unit is used for downloading backup file to substitute described infected file from the backup file bag that described server mates according to described chained address, and described association backup file and described backup file are stored in the same backup file bag of described server.
Compare with existing scheme, the technique effect that the application obtains: the attribute information according to infected file is directly inquired about corresponding association backup file from the backup file storehouse, since exist between association backup file and the backup file directly related and both be present in same backup file bag such as backup browser packet or back up service packs, therefore, when finding the packet of association backup file, can find the backup file bag at backup file place, can download accordingly backup file to replace infected file, thereby avoided file reparation of the prior art need to make fail-safe software, and the defective that can't thoroughly repair infected file.
Embodiment
Below will cooperate graphic and embodiment to describe the application's embodiment in detail, by this to the application how the application technology means implementation procedure that solves technical matters and reach the technology effect can fully understand and implement according to this.
Among the following embodiment of the present invention, attribute information according to infected file is directly inquired about corresponding association backup file from the backup file storehouse, since exist between association backup file and the backup file directly related and both be present in same backup file bag such as backup browser packet or back up service packs, therefore, when finding the packet of association backup file, can find the backup file bag at backup file place, can download accordingly backup file to replace infected file, thereby avoided file reparation of the prior art need to make fail-safe software, and the defective that can't thoroughly repair infected file.
As shown in Figure 1, Ile repair method schematic flow sheet for the embodiment of the invention one, the present embodiment is that particularly, this document restorative procedure comprises for the situation that only inquires the service packs information list of corresponding described backup file in the backup file information bank of described server:
Step 101, client are determined to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file;
Described infected file comprises executable file, can be the undefined executable file of windows vista system such as this executable file.Described executable file comprises Portable executable file (Portable Executable, PE), new executable file (New Executable, NE) or linear executable file (Linear Executable, LE).Wherein, Portable executable file PE comprises DLL, EXE, FON, OCX, LIB and part sys file, and new executable file NE type has comprised the file of .exe .dll .drv and .fon Four types, and linear executable file LE comprises the vxd file.
The query interface that the attribute information that step 102, described client send described infected file configures in the server, server judges according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system; If so, execution in step 103 then; Otherwise, return the failed result of inquiry;
In the present embodiment, determine whether in the step 102 that system's executable file can specifically realize in this way: determine whether the executable file relevant with operating system according to the signing messages in the basic operating system attribute information of storing directory attribute information corresponding to described infected file and the operation of described infected file, the attribute information of described infected file comprises the storing directory attribute information of correspondence of described infected file and the basic operating system attribute information that described infected file moves.
Step 103, by in the backup file information bank of query interface in described server that configures in the described server, from the backup file information bank of described server, inquire about respectively the service packs information list of corresponding described association backup file and the tabulation of browser data package informatin according to the attribute information of described infected file;
Wherein, because infected file may be the file in the backup service packs, it also may be the file in the backup browser data, therefore, in order to improve the efficient of inquiry, store the tabulation of backup service packs information list and backup browser packet information in the described backup file information bank, like this, when inquiry, at first can in these packet information tabulations, inquire about the attribute information whether the association backup file that mates with infected file is arranged, all clear and definite such as service packs and each version of browser data bag for windows vista system, therefore, also be convenient to set up the information list of these packets.If find the attribute information of association backup file, because association backup file and backup file are arranged in same backup file bag such as the backup service packs, as long as found the association backup file, can determine this association backup file in that packet, also just can find accordingly corresponding backup file.
Wherein, the tabulation of the service packs information list of described association backup file and browser data package informatin comprises: the basic operating system attribute information of the file name information that described association backup file is corresponding, the storing directory attribute information that described association backup file is corresponding, described association backup running paper, the browser attribute information that described association backup file is corresponding, the service packs information that described association backup file is corresponding, and these information can be referred to as the attribute information of described association backup file;
Wherein, the attribute information of described infected file comprises: the service packs information corresponding to browser attribute information, described infected file corresponding to basic operating system attribute information, described infected file of the file name information that described infected file is corresponding, the storing directory attribute information that described infected file is corresponding, the operation of described infected file.
Step 104, if in the backup file information bank of described server, only inquire the service packs information list of corresponding described association backup file, with this service packs information list as Query Result, according to the timestamp of described infected file and the timestamp of the corresponding described association backup file of described service packs information list, generate the first catalogue relevance weight of each bar list directory in the described service packs information list, to reflect the correspondence of the corresponding described association backup file of described service packs information list and described infected file, the attribute information of described infected file comprises the timestamp of described infected file;
In the present embodiment, because only inquired the service packs information list, so just directly with this service packs information list as Query Result, comprise the attribute information of at least one association backup file that described service is collected in this Query Result, such as the file name information of association backup file.
In the present embodiment, with the judgment standard of timestamp as infected file and described association backup correlation of files, such as, if in full accord with the timestamp of described infected file, then can compose with the first the highest catalogue relevance weight to this list directory in the described service packs information list, and the timestamp of other and described infected file is inconsistent, and visual timestamp is successively composed with other the first less catalogue relevance weight.
Step 105, select in the described service packs information list corresponding candidate list catalogue to generate download address according to described the first catalogue relevance weight, download corresponding described backup file according to this download address client from described server, corresponding described association backup file and corresponding described backup file leave in the same backup service packs in the described server.
Association backup file corresponding to corresponding candidate list catalogue as a reference in the described service packs information list, because association backup file and backup file are stored in the same backup service packs, so by finding the association backup file, can find the backup service packs at backup file place, based on this, also just can generate the download address of backup file.
As previously mentioned, in full accord with the timestamp of described infected file, then can compose with the first the highest catalogue relevance weight to this list directory in the described service packs information list, the first catalogue relevance weight that this is the highest is as the list directory of correlativity maximum, i.e. corresponding candidate list catalogue generates corresponding download address according to the list directory of correlativity maximum.
In the present embodiment, if the identical backup file of life period stamp only has one, then the candidate list catalogue of described correspondence is: in described candidate's download list, the timestamp of corresponding described association backup file is in the equal list directory of the timestamp of described infected file, and this list directory has the first the highest catalogue relevance weight.If there is no timestamp situation about equating, then the candidate list catalogue of described correspondence is: in described candidate's download list, the timestamp of described association backup file is greater than the list directory of the timestamp of described infected file, this list directory has the first the highest catalogue relevance weight, this situation may be owing to having beaten up-to-date service packs in client, and this latest patch bag and relevant information thereof are not collected on the server.
In an other embodiment, if two backup files that the life period stamp is identical, then the list directory of described correlativity maximum is: in described candidate's download list, the timestamp of corresponding described association backup file equals the list directory of the timestamp of described infected file, and judges that according to the version number of file described backup file corresponding to described candidate list catalogue is formal version.Why to use the version number of backup file, reason is that the beta version of backup file also may be collected in the server, and just can judge beta version or formal version by the version number of file, thereby only the backup file of the formal version of download is to substitute infected file.
As shown in Figure 2, be the Ile repair method schematic flow sheet of the embodiment of the invention two, the present embodiment is for only in the backup file information bank of described server, inquires the situation of the browser data package informatin tabulation of corresponding described backup file, particularly, this document restorative procedure comprises:
Step 201, client are determined to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The query interface that the attribute information that step 202, described client send described infected file configures in the server judges according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system; If so, execution in step 203 then; Otherwise, return the failed result of inquiry;
This step is similar to the step 102 in above-described embodiment one, does not repeat them here.
Step 203, by in the backup file information bank of query interface in described server that configures in the described server, from the backup file information bank of described server, inquire about respectively the service packs information list of corresponding association backup file and the tabulation of browser data package informatin according to the attribute information of described infected file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
Step 204, if in the backup file information bank of described server, only inquire the browser data package informatin tabulation of corresponding described association backup file, according to the tabulate timestamp of corresponding described association backup file of the timestamp of described infected file and described browser data package informatin, generate the second catalogue relevance weight of each bar list directory in the described browser data package informatin tabulation, to reflect the tabulate correlativity of corresponding described backup file and described infected file of described browser data package informatin, the attribute information of described infected file comprises the timestamp of described infected file;
In the present embodiment, because only inquired the tabulation of browser data package informatin, so just directly this browser data package informatin is tabulated as Query Result, the attribute information that comprises at least one association backup file that described service is collected in this Query Result is such as the file name information of association backup file.
The determination methods of step 104 in similar above-described embodiment one, in the present embodiment, with the judgment standard of timestamp as infected file and described backup file correlativity, such as, if in the browser data package informatin that the inquires tabulation, in full accord with the timestamp of described infected file, then can compose with the second the highest catalogue relevance weight to this list directory in the described browser data information list, and the timestamp of other and described infected file is inconsistent, and visual timestamp is successively composed with other the second less catalogue relevance weight.
Step 205, select candidate list catalogue corresponding in the tabulation of described browser data package informatin to generate download address according to described the second catalogue relevance weight, download described backup file corresponding to candidate list catalogue according to this download address client from described server, described association backup file corresponding to candidate list catalogue and corresponding described backup file leave in the same backup browser packet in the described server.
As previously mentioned, in full accord with the timestamp of described infected file, then can compose with the second the highest catalogue relevance weight to this list directory in the described browser data package informatin tabulation, the second catalogue relevance weight that this is the highest is as the list directory of correlativity maximum, be the candidate list catalogue, generate the download address of correspondence according to the list directory of correlativity maximum.
In the present embodiment, in the described service packs information list, if the identical backup file of life period stamp only has one, then described candidate list catalogue is in described candidate's download list, the timestamp of corresponding described association backup file is in the equal list directory of the timestamp of described infected file, and this list directory has the second the highest catalogue relevance weight.If there is no timestamp situation about equating, then described candidate list catalogue is: in described candidate's download list, the timestamp of described association backup file is greater than the list directory of the timestamp of described infected file, this list directory has the second the highest catalogue relevance weight, this situation may be owing to having beaten up-to-date service packs in client, and this latest patch bag and relevant information thereof are not collected on the server.
In an other embodiment, if two backup files that the life period stamp is identical, then the candidate list catalogue of described correspondence is: in described candidate's download list, the timestamp of corresponding described association backup file equals the list directory of the timestamp of described infected file, and judges that according to the version number of file described backup file corresponding to described candidate list catalogue is formal version.Why to use the version number of backup file, reason is that the beta version of backup file also may be collected in the server, and just can judge beta version or formal version by the version number of file, thereby only the described backup file of the formal version of download is to substitute infected file.
As shown in Figure 3, Ile repair method schematic flow sheet for the embodiment of the invention three, the present embodiment is in the backup file information bank of described server, all inquire the browser data package informatin tabulation of corresponding described backup file and the situation of service packs information list, Ile repair method comprises:
Step 301, client are determined to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The query interface that the attribute information that step 302, described client send described infected file configures in the server judges according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system; If so, execution in step 303 then; Otherwise, return the failed result of inquiry;
This step is similar to the step 102 in above-described embodiment one, does not repeat them here.
In the present embodiment, determine whether in the step 302 that system's executable file can specifically realize in this way: determine whether the executable file relevant with operating system according to the signing messages in the basic operating system attribute information of storing directory attribute information corresponding to described infected file and the operation of described infected file, the attribute information of described infected file comprises the storing directory attribute information of correspondence of described infected file and the basic operating system attribute information that described infected file moves.
Step 303, by in the backup file information bank of query interface in described server that configures in the described server, from the backup file information bank of described server, inquire about respectively the service packs information list of corresponding described association backup file and the tabulation of browser data package informatin according to the attribute information of described infected file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
If step 304 all inquires service packs information list and the tabulation of browser data package informatin of corresponding described association backup file in the backup file information bank of described server, then according to the timestamp of described infected file and the timestamp of the corresponding described association backup file of described service packs information list, generate the first catalogue relevance weight of described each bar list directory of service packs information list and calculate the first tabulation relevance weight of described service packs information list;
Step 305, according to the tabulate timestamp of corresponding described association backup file of timestamp and the described browser data package informatin of described infected file, generate the second catalogue relevance weight of each bar list directory in the described browser data package informatin tabulation and calculate the second tabulation relevance weight of described browser data package informatin tabulation;
Do not have absolute sequential relationship between step 304 and the step 305, these two steps can any one formerly carry out and another one in rear execution, perhaps carry out simultaneously and get final product for two.
Step 306, according to the second tabulation relevance weight of the first tabulation relevance weight and described browser data package informatin tabulation of described service packs information list, select candidate's download list as Query Result.
By step 304 and 305 as can be known, in the service packs information list and in the tabulation of browser data package informatin, inquire simultaneously the attribute information that has the association backup file, because the association backup file is directly relevant with backup file, namely can determine to have simultaneously in backup file is corresponding in the backup file storehouse on the server backup service packs and the backup browser packet backup file of replaceable infected file.For this kind situation, in order from server, to download the backup file that mates the most with infected file, then need the relevance weight according to each backup file the package list, the the second tabulation relevance weight that is the first tabulation relevance weight and browser data package informatin tabulation of service packs information list comprehensively judges, downloads to determine from the backup file storehouse of server the backup file in the selection service packs or the backup file in the browser information bag.
For example, if the first tabulation associated weight show that then service packs information list and infected file correlativity are larger, and browser data package informatin and infected file correlativity is less greater than the second tabulation associated weight.At this moment, take the service packs information list as candidate's download list, this candidate's download list is as Query Result.Otherwise then take the tabulation of browser data package informatin as candidate's download list, this candidate's download list is as Query Result.
Candidate list catalogue in step 307, the described candidate's selective listing of selection, download corresponding described backup file from described server, the described association backup file that described backup file is corresponding with the candidate list catalogue leaves in same backup service packs and the same backup browser packet, and described backup service packs and backup browser packet are stored in the backup file storehouse of described server.
In the present embodiment, for with candidate's download list as Query Result, it may comprise a plurality of list directories, and each list directory can both correspond to a backup file, therefore, if the identical backup file of life period stamp only has one, then described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file is in the equal list directory of the timestamp of described infected file; Perhaps, such as the identical backup file of the stamp of life period not, then described candidate's list directory is: in described candidate's download list, the timestamp of described association backup file is greater than the list directory of the timestamp of described infected file.
In an other embodiment, if two backup files that the life period stamp is identical, then described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file equals the list directory of the timestamp of described infected file, and judges that according to the version number of file described backup file corresponding to described candidate list catalogue is formal version.By version number distinguishing beta version file or formal version file, thereby guarantee that the backup file of downloading is formal version file.
As shown in Figure 4, press process flow diagram for the Ile repair method of the embodiment of the invention four.The present embodiment is in the backup file information bank of described server, does not all inquire the browser data package informatin tabulation of corresponding described backup file and the situation of service packs information list, and particularly, this document restorative procedure comprises:
Step 401, client are determined to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The query interface that the attribute information that step 402, described client send described infected file configures in the server judges according to the attribute information of described infected file whether described infected file is the executable file relevant with operating system; If so, execution in step 403 then; Otherwise, return the failed result of inquiry;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
In the present embodiment, determine whether in the step 402 that system's executable file can specifically realize in this way: determine whether the executable file relevant with operating system according to the signing messages in the basic operating system attribute information of storing directory attribute information corresponding to described infected file and the operation of described infected file, the attribute information of described infected file comprises the storing directory attribute information of correspondence of described infected file and the basic operating system attribute information that described infected file moves.
Step 403, by in the backup file information bank of query interface in described server that configures in the described server, from the backup file information bank of described server, inquire about respectively the service packs information list of corresponding association backup file and the tabulation of browser data package informatin according to the attribute information of described infected file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
If step 404 does not all inquire service packs information list and the tabulation of browser data package informatin of corresponding described backup file in the backup file information bank of described server, then obtain the raw data packets of depositing the corresponding raw data of described backup file, and will comprise raw data packets early than the described association backup file of the timestamp of described infected file as Query Result, described raw data packets is stored in the backup file storehouse of described server;
In the present embodiment, the attribute information of raw data packets is as Query Result.
Step 405, generate download address according to the timestamp of association backup file described in the raw data packets in the described server early than the raw data packets of the timestamp of described infected file, download with described association backup file from described server according to this download address client and to be stored in described backup file the same backup file bag, to replace described infected file.
In the present embodiment, for raw data packets, if the identical backup file of life period stamp only has one, then described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file is in the equal list directory of the timestamp of described infected file; Perhaps, the if there is no identical backup file of timestamp, the candidate list catalogue of described correspondence is: in described candidate's download list, the timestamp of described association backup file is greater than the list directory of the timestamp of described infected file.
In an other embodiment, for raw data packets, if two backup files that the life period stamp is identical, then described candidate list catalogue is: in described candidate's download list, the timestamp of corresponding described association backup file equals the list directory of the timestamp of described infected file, and judges that according to the version number of file described backup file corresponding to described candidate list catalogue is formal version.
This sentences and inquire backup file from the backup service packs is that example describes.There is infected file urlmon.dll below the client system storing directory, in order in server, to inquire the alternate file that can replace this infected file, client is collected the relevant attribute information of this infected file urlmon.dll, such as the basic operating system Information page osver=5.1.2600.256.1.2 of this shop, browser IE information such as browser version iever=7, storing directory information such as path=system32, according to inquiring about in the backup file information bank of these attribute informations in server, obtain following Query Result, these filenames in this Query Result are the association backup file with infected file urlmon.dll direct correlation:
SHLWAPI.dll iertutil.dll danim.dll dxtrans.dll extmgr.dll
inseng.dll mstime.dll ieakeng.dll ieaksie.dll iedkcs32.dll
iexplore.exe inetcpl.cpl tdc.ocx vgx.dll winfxdocobj.exe
The timestamp information of above-mentioned association backup file is as follows:
SHLWAPI.dll 20080623233829 iertutil.dll 20070814093358
danim.dll 20080623233822 dxtrans.dll 20070814093534
extmgr.dll 20070814095409 inseng.dll 20070814093900
mstime.dll 20070814095049 ieakeng.dll 20070814093924
ieaksie.dll 20070814093951 iedkcs32.dll 20070814093945
iexplore.exe 20040804140033 inetcpl.cpl 20070814094504
tdc.ocx 20070814093213 vgx.dll 20070626215541
winfxdocobj.exe 20070814094514
And in server, learn through inquiry, comprise that the backup service packs information list of above-mentioned association backup file is as follows:
patch/winxp/20090211/ie7-windowsxp-kb961260-x86-chs/sp2gdr
patch/winxp/20081210/windowsxp-kb958215-x86-chs/sp2gdr
patch/winxp/20081210/ie7-windowsxp-kb958215-x86-chs/sp2gdr
patch/winxp/20061212/windowsxp-kb925454-x86-chs/sp2gdr
patch/winxp/20090102/ie7/system32
But the method for relevance weight is determined in elapsed time stamp comparison, only have above-mentioned association backup file under the list directory patch/winxp/20090102/ie7/system32 timestamp " 20090102 " corresponding with infected file urlmon.dll on timestamp consistent, namely this list directory is the catalogue of correlativity maximum, has the first the highest catalogue relevance weight, therefore, also generating accordingly download address according to hit list catalogue patch/winxp/20090102/ie7/system32 can get final product the patch/winxp/20090102/ie7/system32/urlmon.dll download.
As shown in Figure 5, structural representation for embodiment of the invention file repair system, this system comprises: client 501 and server 502, described client 501 is used for determining to be infected the infected file that forms by malicious code, and obtain the attribute information of described infected file, and the attribute information that sends described infected file inquires about and obtains Query Result to server 502, and described Query Result comprises the attribute information of at least one association backup file that described server 502 is collected; Described client 501 is according to the attribute information of described infected file, from described Query Result, hit the association backup file with described infected file coupling, and the backup file bag of definite coupling, download backup file in the backup file bag of coupling to substitute described infected file from described server 502, described association backup file and described backup file are stored in the same backup file bag.
In this enforcement, described server 502 comprises:
Query interface 512 is for the attribute information that receives the described infected file that sends;
Backup file information bank 522, the information that is used for preserving backup file is with the backup file of determining self to be complementary with described infected file.
In the present embodiment, described server can also comprise:
Download interface 532, that be used for hitting from described Query Result and association backup file described infected file coupling, and the backup file bag of the coupling of determining generates the chained address of downloading;
Download unit 542, be used for downloading backup file to substitute described infected file from the backup file bag that described server mates according to described chained address, described association backup file and described backup file are stored in the same backup file bag of described server.
Those skilled in the art should understand, the application's embodiment can be provided as method, system or computer program.Therefore, the application can adopt complete hardware implementation example, complete implement software example or in conjunction with the form of the embodiment of software and hardware aspect.And the application can adopt the form of the computer program of implementing in one or more computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code.
Above-mentioned explanation has illustrated and has described some preferred embodiments of the application, but as previously mentioned, be to be understood that the application is not limited to the disclosed form of this paper, should not regard the eliminating to other embodiment as, and can be used for various other combinations, modification and environment, and can in invention contemplated scope described herein, change by technology or the knowledge of above-mentioned instruction or association area.And the spirit and scope that the change that those skilled in the art carry out and variation do not break away from the application, then all should be in the protection domain of the application's claims.