Summary of the invention
In view of this, technical problems to be solved in this application have been to provide a kind of Ile repair method and system,Can from backup file storehouse, inquire about according to the attribute information of infected file corresponding backup file, directly replaceInfected file.
In order to solve the problems of the technologies described above, the application provides a kind of Ile repair method, comprising: clientDetermine by malicious code and infect the infected file forming, and obtain the attribute information of described infected file; DescribedClient sends the attribute information of described infected file and inquires about and obtain Query Result to server, described inQuery Result comprises the attribute information of at least one backup file of described server collection, described backup fileCorresponding with described infected file; Described client is according to the attribute information of described infected file, from described inquiryIn result, hit the backup file of coupling, and from described server, extract and download described backup file to replaceFor described infected file.
Further, the attribute information of described infected file comprises: the corresponding order of depositing of described infected fileBasic operating system attribute information, the described infected file correspondence of record attribute information and the operation of described infected fileBrowser attribute information corresponding to file name information, described infected file, the benefit that described infected file is correspondingThe timestamp of fourth package informatin, described infected file.
Further, the attribute information that described client sends described infected file in server to look intoAsk and obtain Query Result, comprising: the attribute information that sends described infected file is to looking into of configuring in serverAsk interface; By the query interface configuring in described server, the backup file information in described serverIn storehouse, inquire about and obtain Query Result, in described backup file information bank, store service packs information listWith the list of browser data packet information.
Further, the attribute information that described client sends described infected file is inquired about also to serverObtain Query Result, comprising: judge that according to the attribute information of described infected file whether described infected file isThe executable file relevant to operating system, if so, the backup file information bank in described serverIn inquire about and obtain corresponding Query Result; Otherwise, return to the result that inquiry is failed.
Further, judge that according to the attribute information of described infected file whether described infected file is and operationThe executable file that system is relevant, comprising: according to storing directory attribute information corresponding to described infected file andSigning messages in the basic operating system attribute information of described infected file operation determines whether and operatesThe executable file that system is relevant, the attribute information of described infected file comprises the corresponding of described infected fileThe basic operating system attribute information of storing directory attribute information and the operation of described infected file.
Further, if described infected file is the executable file relevant to operating system, described visitorFamily end sends the attribute information of described infected file and inquires about and obtain Query Result to server, comprising:According to the attribute information of described infected file, it is right from the backup file information bank of described server, to inquire about respectivelyAnswer service packs information list and the list of browser data package informatin of described backup file; Wherein, described backupThe service packs information list of file and the list of browser data package informatin comprise: the literary composition that described backup file is correspondingIt is basic that part name information, the storing directory attribute information that described backup file is corresponding, described backup file moveOperating system attribute information, the browser attribute information that described backup file is corresponding, described backup file correspondenceService packs information; Wherein, the attribute information of described infected file comprises: the literary composition that described infected file is correspondingIt is basic that part name information, the storing directory attribute information that described infected file is corresponding, described infected file moveOperating system attribute information, the browser attribute information that described infected file is corresponding, described infected file correspondenceService packs information.
Further, if only inquire corresponding described backup in the backup file information bank of described serverThe service packs information list of file, the attribute information that described client sends described infected file is to serverInquire about and obtain Query Result, comprising: according to the timestamp of described infected file and described service packs letterThe timestamp of the corresponding described backup file of breath list, generates the of list directory in described service packs information listOne catalogue relevance weight, determines the corresponding institute of described service packs information list according to the first catalogue relevance weightState the correspondence of backup file and described infected file, so as described server inquire about and obtain and underCarry corresponding described backup file, the attribute information of described infected file comprises the timestamp of described infected file.
Further, described client is according to the attribute information of described infected file, from described Query ResultHit the backup file matching with self, and from described server, download backup file to substitute described senseDye file, comprising: select in described service packs information list corresponding according to described the first catalogue relevance weightCandidate list catalogue generate download address, download corresponding from described server according to this download address clientDescribed backup file corresponding to candidate list catalogue, described backup corresponding to corresponding candidate list catalogue is civilianPart leaves in the backup service packs of described server.
Further, if only inquire corresponding described backup in the backup file information bank of described serverThe browser data package informatin list of file, the attribute information that described client sends described infected file arrivesQuery Result is inquired about and obtained to server, comprising: according to the timestamp of described infected file and described clearThe timestamp of the corresponding described backup file of the device packet information list of looking at, generates described browser data package informatinIn list, the second catalogue relevance weight of list directory, determines described clear according to the second catalogue relevance weightThe correlation of looking at the corresponding described backup file of device packet information list and described infected file, so that describedCorresponding described backup file is inquired about and obtain and downloaded to server.
Further, described client is according to the attribute information of described infected file, from described Query ResultHit the backup file matching with self, and from described server, download backup file to substitute described senseDye file, comprising: select the list of described browser data package informatin according to described the second catalogue relevance weightThe candidate list catalogue of middle correspondence generates download address, according to this download address client from described serverCarry corresponding described backup file corresponding to candidate list catalogue, corresponding candidate list catalogue corresponding described inBackup file leaves in the backup browser packet of described server.
Further, if all inquire corresponding described backup in the backup file information bank of described serverThe service packs information list of file and the list of browser data package informatin, described client sends described infectionQuery Result is inquired about and obtained to the attribute information of file to server, comprising: according to described infected fileThe timestamp of timestamp and the corresponding described backup file of described service packs information list, generate described service packsThe first catalogue relevance weight of list directory calculate first of described service packs information list in information listList relevance weight; According to the timestamp of described infected file and the list pair of described browser data package informatinTimestamp that should described backup file, generates second of list directory in the list of described browser data package informatinCatalogue relevance weight is also calculated the second list relevance weight of described browser data package informatin list; RootAccording to the first list relevance weight of described service packs information list and the list of described browser data package informatinThe second list relevance weight, selects candidate's download list as Query Result.
Further, described client is according to the attribute information of described infected file, from described Query ResultHit the backup file of coupling, and from described server, download backup file to substitute described infected file,Comprise: select candidate list catalogue corresponding in described candidate's download list to generate download address, according under thisSet address client is downloaded described backup file corresponding to corresponding candidate list catalogue from described server, rightThe described backup file corresponding to candidate list catalogue of answering leaves in service packs and browser data bag, described inBackup service packs and backup browser packet are stored in the backup file storehouse of described server.
Further, the candidate list catalogue of described correspondence is: in described candidate's download list, described in correspondenceThe timestamp of backup file equals the equal list directory of timestamp of described infected file; Or, described rightThe candidate list catalogue of answering is: in described candidate's download list, described in the timestamp of described backup file is greater thanThe list directory of the timestamp of infected file.
Further, the candidate list catalogue of described correspondence is: in described candidate's download list, described in correspondenceThe timestamp of backup file equals the list directory of the timestamp of described infected file, and according to the version of fileNumber judge that described backup file corresponding to described candidate list catalogue is as formal version.
Further, if all do not inquire corresponding described standby in the backup file information bank of described serverService packs information list and the list of browser data package informatin of part file, described client sends described senseDye the attribute information of file and inquire about and obtain Query Result to server, comprising: obtain deposit described standbyThe raw data packets of part file initial data; By the timestamp of backup file described in described server early than instituteState the raw data packets of timestamp of infected file as Query Result, described in described raw data packets is stored inIn the backup file storehouse of server.
Further, described client is according to the attribute information of described infected file, from described Query ResultHit the backup file matching with self, and from described server, download backup file to substitute described senseDye file, comprising: according to the timestamp of backup file described in raw data packets in described server early than instituteState infected file timestamp raw data packets generate download address, according to this download address client from instituteState server and download described backup file to replace described infected file.
In order to solve the problems of the technologies described above, the application also provides a kind of file repair system, comprising: clientEnd and server, described client infects for determining by malicious code the infected file forming, and obtains instituteState the attribute information of infected file, and the attribute information that sends described infected file is inquired about also to serverObtain Query Result, described Query Result comprises the attribute of at least one backup file of described server collectionInformation, described backup file is corresponding with described infected file; Described client is according to the genus of described infected fileProperty information, from described Query Result, choose and mate described backup file, and carrying from described serverGet and download to substitute described infected file.
Further, described server comprises: query interface, and for receiving the described infected file of transmissionAttribute information; Backup file information bank, for preserving the information of backup file, to determine and described infection literary compositionThe backup file of part coupling.
Further, described server comprises: download interface, choose from described Query Result for basisThe backup file matching with self generate download chained address; Download unit, for according to described chainThe backup file of coupling is downloaded to replace described infection literary composition in ground connection location from the backup file storehouse of described serverPart.
Compared with existing scheme, the technique effect that the application obtains: according to the attribute information of infected fileFrom backup file storehouse, inquire about corresponding backup file, directly replace infected file, thereby avoided existing skillFile reparation in art need to be made fail-safe software, and cannot thoroughly repair the defect of infected file.
Detailed description of the invention
To coordinate graphic and embodiment to describe the application's embodiment in detail below, by this to the application asThe implementation procedure that what application technology means solves technical problem and reaches technology effect can fully understand and according to thisImplement.
As shown in Figure 1, be the Ile repair method schematic flow sheet of the embodiment of the present invention one, the present embodiment isFor the service packs letter that only inquires corresponding described backup file in the backup file information bank of described serverThe situation of breath list, particularly, this Ile repair method comprises:
Step 101, client are determined the infected file that is infected formation by malicious code, and obtain described infection literary compositionThe attribute information of part;
Described infected file comprises executable file, such as this executable file can be windowsvista systemThe undefined executable file of uniting. Described executable file comprises Portable executable file (PortableExecutable, PE), new executable file (NewExecutable, NE) or linearity can carry out literary compositionPart (LinearExecutable, LE). Wherein, Portable executable file PE comprise DLL, EXE,FON, OCX, LIB and part sys file, new executable file NE type has comprised .exe .dll .drvWith the file of .fon Four types, linear executable file LE comprises vxd file.
The attribute information that step 102, described client send described infected file is to the inquiry configuring in serverInterface, judges according to the attribute information of described infected file whether described infected file is relevant to operating systemExecutable file; If so, perform step 103; Otherwise, return to the result that inquiry is failed;
In the present embodiment, in step 102, determine whether that system executable file can specifically pass through this sideFormula realizes: according to the operation of storing directory attribute information corresponding to described infected file and described infected fileSigning messages in basic operating system attribute information determines whether the carried out literary composition relevant to operating systemPart, the attribute information of described infected file comprise described infected file corresponding storing directory attribute information andThe basic operating system attribute information of described infected file operation.
Step 103, backup file letter by the query interface that configures in described server in described serverIn breath storehouse, according to the attribute information of described infected file difference from the backup file information bank of described serverInquire about service packs information list and the list of browser data package informatin of corresponding described backup file;
Wherein, because infected file may be the file in service packs, may be also the literary composition in browser dataPart, therefore, in order to improve the efficiency of inquiry, stores service packs information row in described backup file information bankTable and browser data information list, like this, in the time of inquiry, first can be in these packet information listsWhether middle inquiry has the attribute information of the backup file mating with infected file, such as for windowsvistaThe all clear and definite classification of the service packs of system and each version of browser data bag, therefore, are also convenient to set up thisThe information list of a little packets;
Wherein, the service packs information list of described backup file and the list of browser data package informatin comprise: instituteState the file name information that backup file is corresponding, storing directory attribute information that described backup file is corresponding, described inBrowser attribute information that basic operating system attribute information, the described backup file of backup file operation are corresponding,The service packs information that described backup file is corresponding, these information can be referred to as the attribute information of described backup file;
Wherein, the attribute information of described infected file comprises: file name information that described infected file is corresponding,The basic operating system of the storing directory attribute information that described infected file is corresponding, the operation of described infected file belongs toProperty information, the browser attribute information that described infected file is corresponding, service packs letter that described infected file is correspondingBreath.
If step 104 only inquires corresponding described backup literary composition in the backup file information bank of described serverThe service packs information list of part, using this service packs information list as Query Result, according to described infected fileThe timestamp of timestamp and the corresponding described backup file of described service packs information list, generate described service packsThe first catalogue relevance weight of each list directory of information list, true according to the first catalogue relevance weightThe correspondence of the corresponding described backup file of fixed described service packs information list and described infected file, so that in instituteState server and inquire about and obtain and download corresponding described backup file, the attribute letter of described infected fileBreath comprises the timestamp of described infected file;
In the present embodiment, using timestamp as infected file and the judgment standard of described backup file correlation,Such as, if in full accord with the timestamp of described infected file, can give described service packs information listIn this list directory compose with the first the highest catalogue relevance weight, and time of other and described infected fileStab inconsistently, visual timestamp is successively composed with other the first less catalogue relevance weight.
Step 105, select in described service packs information list according to described the first catalogue relevance weight correspondingCandidate list catalogue generates download address, downloads corresponding according to this download address client from described serverThe described backup file that candidate list catalogue is corresponding, corresponding described backup file corresponding to candidate list catalogueLeave in service packs.
As previously mentioned, in full accord with the timestamp of described infected file, can give described service packs informationIn list, this list directory is composed with the first the highest catalogue relevance weight, and this first the highest catalogue is relevantProperty weight as corresponding candidate list catalogue, generate corresponding download ground according to corresponding candidate list catalogueLocation.
In the present embodiment, if stabbing identical backup file, life period only has one, the time of described correspondenceSelecting list directory is the list order that the timestamp of described infected file and the timestamp of described backup file equateRecord, this list directory has the first the highest catalogue relevance weight. If there is no the equal feelings of timestampCondition, timestamp that the candidate list catalogue of described correspondence is described infected file is less than described backup fileThe list directory that timestamp is equal, this list directory has the first the highest catalogue relevance weight, this feelingsCondition may be owing to having beaten up-to-date service packs in client, and this latest patch bag and relevant information thereof are notBe collected on server.
In an other embodiment, if life period is stabbed two identical backup files, described correspondenceCandidate list catalogue is: the list that the timestamp of described infected file equates with the timestamp of described backup fileCatalogue and be judged to be the described backup file of official release according to the version number of described backup file. Why wantWith the version number of backup file, reason is that the beta version of backup file also may be collected in server,Beta version or formal version and just can judge described backup file by the version number of backup file, fromAnd the described backup file of only downloading formal version is to substitute infected file.
As shown in Figure 2, be the Ile repair method schematic flow sheet of the embodiment of the present invention two, the present embodiment isFor only in the backup file information bank of described server, inquire the browser of corresponding described backup fileThe situation of packet information list, particularly, this Ile repair method comprises:
Step 201, client are determined the infected file that is infected formation by malicious code, and obtain described infection literary compositionThe attribute information of part;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The attribute information that step 202, described client send described infected file is to the inquiry configuring in serverInterface, judges according to the attribute information of described infected file whether described infected file is relevant to operating systemExecutable file; If so, perform step 203; Otherwise, return to the result that inquiry is failed;
This step is similar to the step 102 in above-described embodiment one, does not repeat them here.
Step 203, backup file letter by the query interface that configures in described server in described serverIn breath storehouse, according to the attribute information of described infected file difference from the backup file information bank of described serverInquire about service packs information list and the list of browser data package informatin of corresponding described backup file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
If step 204 only inquires corresponding described backup literary composition in the backup file information bank of described serverThe browser data package informatin list of part, according to the timestamp of described infected file and described browser data bagThe timestamp of the corresponding described backup file of information list, generates each in the list of described browser data package informatinThe second catalogue relevance weight of bar list directory, determines described browser according to the second catalogue relevance weightThe correlation of the corresponding described backup file of packet information list and described infected file, so that in described serviceCorresponding described backup file is inquired about and obtain and downloaded to device, and the attribute information of described infected file comprisesThe timestamp of described infected file;
The determination methods of step 104 in similar above-described embodiment one, in the present embodiment, using timestamp as senseDye the judgment standard of file and described backup file correlation, such as, if the browser data bag inquiringIn information list, in full accord with the timestamp of described infected file, can give described browser data letterIn breath list, this list directory is composed with the first the highest catalogue relevance weight, and other and described infected fileTimestamp inconsistent, visual timestamp is successively composed with its first less catalogue relevance weight.
Step 205, select in the list of described browser data package informatin according to described the second catalogue relevance weightCorresponding candidate list catalogue generates download address, and client is downloaded from described server according to this download addressCorresponding described backup file corresponding to candidate list catalogue, corresponding described standby of corresponding candidate list cataloguePart file leaves in browser data bag.
As previously mentioned, in full accord with the timestamp of described infected file, can give described service packs informationIn list, this list directory is composed with the first the highest catalogue relevance weight, and this first the highest catalogue is relevantProperty weight as corresponding candidate list catalogue, generate corresponding download ground according to corresponding candidate list catalogueLocation.
In the present embodiment, in described service packs information list, if the identical backup file of timestamp only has oneIndividual, the candidate list catalogue of described correspondence is: in the list of described browser data package informatin, described in correspondenceThe list directory that the timestamp of backup file is identical with the timestamp of described infected file, this list directory hasThe first the highest catalogue relevance weight. If there is no the identical situation of timestamp, the time of described correspondenceSelecting list directory is the equal list order of timestamp that the timestamp of described infected file is less than described backup fileRecord, this list directory has the first the highest catalogue relevance weight, and this situation may be due in clientOn beaten up-to-date service packs, and this latest patch bag and relevant information thereof are not collected in service timelyOn device.
In an other embodiment, if life period is stabbed two identical backup files, described correspondenceCandidate list catalogue is: in the list of described browser data package informatin, and the timestamp of corresponding described backup fileThe list directory identical with the timestamp of described infected file, and judge according to the version number of described backup fileDescribed backup file corresponding to this candidate list catalogue is formal version. Use the version number of backup file, reasonThe beta version that is backup file also may be collected in server, and just can by the version number of fileJudging described backup file is beta version or formal version, thereby only downloads the described backup file of formal versionTo substitute infected file.
As shown in Figure 3, be the Ile repair method schematic flow sheet of the embodiment of the present invention three, the present embodiment isFor in the backup file information bank of described server, all inquire the browser of corresponding described backup fileThe situation of packet information list and service packs information list, Ile repair method comprises:
Step 301, client are determined the infected file that is infected formation by malicious code, and obtain described infection literary compositionThe attribute information of part;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The attribute information that step 302, described client send described infected file is to the inquiry configuring in serverInterface, judges according to the attribute information of described infected file whether described infected file is relevant to operating systemExecutable file; If so, perform step 303; Otherwise, return to the result that inquiry is failed;
This step is similar to the step 102 in above-described embodiment one, does not repeat them here.
In the present embodiment, in step 302, determine whether that the executable file relevant to operating system can toolBody is realized in this way: according to storing directory attribute information corresponding to described infected file and described senseThe signing messages dying in the basic operating system attribute information of running paper determines whether and operating system phaseThe executable file closing, the attribute information of described infected file comprises the corresponding order of depositing of described infected fileThe basic operating system attribute information of record attribute information and the operation of described infected file.
Step 303, backup file letter by the query interface that configures in described server in described serverIn breath storehouse, according to the attribute information of described infected file difference from the backup file information bank of described serverInquire about service packs information list and the list of browser data package informatin of corresponding described backup file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
If step 304 all inquires corresponding described backup literary composition in the backup file information bank of described serverThe service packs information list of part and the list of browser data package informatin, according to the timestamp of described infected fileWith the timestamp of the corresponding described backup file of described service packs information list, generate described service packs information listThe first catalogue relevance weight of each list directory first list of calculating described service packs information listRelevance weight;
Step 305, according to the timestamp of described infected file institute corresponding to the list of described browser data package informatinState the timestamp of backup file, generate of each article of list directory in the list of described browser data package informatinTwo catalogue relevance weight are also calculated the second list relevance weight of described browser data package informatin list;
Between step 304 and step 305, there is no absolute sequential relationship, these two steps can any oneFormerly carry out and another one in rear execution, or two simultaneously carry out.
Step 306, according to the first list relevance weight of described service packs information list and described browser numberAccording to the second list relevance weight of package informatin list, select candidate's download list as Query Result.
From step 304 and 305, in service packs information list and in the list of browser data package informatinInquire the attribute information that has backup file, i.e. backup file pair in backup file storehouse on server simultaneouslyIn the service packs of answering and browser data bag, have the backup file of replaceable infected file simultaneously. For thisThe situation of kind, in order to download the backup file mating the most with infected file from server, needs according to everyThe relevance weight of individual data the package list, i.e. the first list relevance weight of service packs information list and browsingThe second list relevance weight of device packet information list comprehensively judges, is standby from server to determineIn part library, select under backup file in backup file or the browser information bag in service packs carries outCarry.
For example, if the first list associated weight is greater than the second list associated weight, show service packs informationList and infected file correlation are larger, and browser data package informatin and infected file correlation are less. ThisTime, taking service packs information list as candidate's download list, this candidate's download list is as Query Result. Otherwise,, taking the list of browser data package informatin as candidate's download list, this candidate's download list is as Query Result.
Step 307, select in described candidate's download list corresponding candidate list catalogue to generate download address, rootDownload described backup literary composition corresponding to corresponding candidate list catalogue according to this download address client from described serverPart, corresponding described backup file corresponding to candidate list catalogue leaves backup service packs and backup browser inIn packet, described backup service packs and backup browser packet are stored in the backup file of described serverIn storehouse, described correlation comprises described the first catalogue relevance weight and described the second catalogue relevance weight.
In the present embodiment, for candidate's download list, it may comprise multiple list directories, and eachList directory can correspond to a backup file, and therefore, the candidate list catalogue of described correspondence is instituteState in candidate's download list, the timestamp of corresponding described backup file is identical with the timestamp of described infected fileList directory; Or, if life period is not stabbed identical backup file, the candidate list of described correspondenceCatalogue is: in described candidate's download list, the timestamp of corresponding described backup file is greater than described infected fileThe list directory of timestamp.
In an other embodiment, if life period is stabbed two identical backup files, described correspondenceCandidate list catalogue is: in described candidate's download list, and the timestamp of corresponding described backup file and described senseDye the identical list directory of timestamp of file, and judge this candidate's row according to the version number of described backup fileDescribed backup file corresponding to entry record is formal version. By version number to distinguish beta version or formalVersion, thus the described backup file of only downloading formal version is to substitute infected file.
As shown in Figure 4, for the Ile repair method of the embodiment of the present invention four is pressed flow chart. The present embodiment is pinTo in the backup file information bank of described server, all do not inquire the browser of corresponding described backup fileThe situation of packet information list and service packs information list, particularly, this Ile repair method comprises:
Step 401, client are determined the infected file that is infected formation by malicious code, and obtain described infection literary compositionThe attribute information of part;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
The attribute information that step 402, described client send described infected file is to the inquiry configuring in serverInterface, judges according to the attribute information of described infected file whether described infected file is relevant to operating systemExecutable file; If so, perform step 403; Otherwise, return to the result that inquiry is failed;
This step is similar to the step 101 in above-described embodiment one, does not repeat them here.
In the present embodiment, in step 402, determine whether that system executable file can specifically pass through this sideFormula realizes: according to the operation of storing directory attribute information corresponding to described infected file and described infected fileSigning messages in basic operating system attribute information determines whether the carried out literary composition relevant to operating systemPart, the attribute information of described infected file comprise described infected file corresponding storing directory attribute information andThe basic operating system attribute information of described infected file operation.
Step 403, backup file letter by the query interface that configures in described server in described serverIn breath storehouse, according to the attribute information of described infected file difference from the backup file information bank of described serverInquire about service packs information list and the list of browser data package informatin of corresponding described backup file;
This step is similar to the step 103 in above-described embodiment one, does not repeat them here.
If step 404 does not all inquire corresponding described backup in the backup file information bank of described serverThe service packs information list of file and the list of browser data package informatin, obtain that to deposit described backup file formerThe raw data packets of beginning data, and by the timestamp of backup file described in described server early than described infectionThe raw data packets of the timestamp of file is as Query Result, and described raw data packets is stored in described serverBackup file storehouse in;
Step 405, according to the timestamp of backup file described in raw data packets in described server early than describedThe raw data packets of the timestamp of infected file generates download address, according to this download address client from describedServer is downloaded described backup file to replace described infected file.
In the present embodiment, for raw data packets, if stabbing identical backup file, life period only hasOne, the candidate list catalogue of described correspondence is: in described candidate's download list, and corresponding described backup literary compositionThe list directory that the timestamp of part equates with the timestamp of described infected file; Or, the candidate of described correspondenceList directory is: in described candidate's download list, the timestamp of described backup file is greater than described infected fileThe list directory of timestamp.
In an other embodiment, for raw data packets, if life period stab identical two standbyPart file, the candidate list catalogue of described correspondence is: in described candidate's download list, corresponding described backupThe list directory that the timestamp of file is identical with the timestamp of described infected file, and according to described backup fileVersion number judge that described backup file corresponding to this candidate list catalogue is as formal version.
As shown in Figure 5, specifically apply and show for the present invention only inquires one of backup file from service packs listIntention. The infected formation infected file of mshtml.dll file in client under system32 storing directory,In order to replace this infected file mshtml.dll, it is relevant that client is collected relevant this infected file mshtml.dllAttribute information, as the filename filename:mshtml.dll of infected file mshtml.dll, reflects this infection literary compositionThe basic operating system information of part mshtml.dll operation, as version number [osver=6.1.7600.256.1.0], infectsThe storing directory information [PATH=System32] of file mshtml.dll by these and this infected fileThe relevant attribute information of mshtml.dll sends in the backup file information bank of server and inquires about, as Fig. 3Shown in, be the Query Result generating according to the relevant attribute information of infected file mshtml.dll, this Query ResultForm with Query List presents, and has altogether 5 list directories, and these list directories are all to list under candidateEntry record, in Fig. 5, first row represents the windowsvista signing messages in basic operating system information, theTwo lists are shown there being backup file service packs information, corresponding one of each windowsvista signing messagesService packs information in list directory; Calculate the method for relevance weight according to timestamp, learn in Fig. 5 the 4thComplete with the timestamp of infected file mshtml.dll with timestamp 20100810 corresponding in 5 list directoriesUnanimously. Thus, known, learn two candidate's download list catalogues by service packs information list, still,Known by version number, the version number in the 4th article and 5 articles of list directories is " 8.0.7600.16625 "" 8.0.7600.20745 ", learns, the 4th article of backup file that list directory is corresponding is beta version, and the 5thThe backup file that bar list directory is corresponding is formal version. Therefore, stab with fileversion number and obtain by generalized timeKnow that the 5th article of list directory is corresponding candidate's download directory, the candidate candidate download directory corresponding according to this:
PATCH_CN/win7/20100810/Windows6.1-KB2183461-x86/x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7600.20745_none_2e889224137c30 85。
According to above-mentioned candidate's download directory, generate download address, to download the backup literary composition of replaceable infected filePart mshtml.dll:
http://dsys.360.cn/PATCH_CN/win7/20100810/Windows6.1-KB2183461-x86/x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7600.20745_none_2e889224137c3085/mshtml.dll.cab。
As shown in Figure 6, be the structural representation of embodiment of the present invention file repair system, this system comprises:Client 601 and server 602, described client 601 infects for determining by malicious code the infection formingFile, and obtain the attribute information of described infected file, and the attribute information that sends described infected file is to clothesQuery Result is inquired about and obtained to business device 602, and described Query Result comprises what described server 602 was collectedThe attribute information of at least one backup file, described backup file is corresponding with described infected file; Described clientEnd 601, according to the attribute information of described infected file, is chosen the backup file of coupling from described Query Result,And from described server 602, extract and download to substitute described infected file.
In this enforcement, described server 602 comprises:
Query interface 612, for receiving the attribute information of described infected file of transmission;
Backup file information bank 622, for preserving the information of backup file, to determine and described infected fileThe backup file of joining.
In the present embodiment, described server can also comprise:
Download interface 632, for generating and download according to the backup file of the coupling of choosing from described Query ResultChained address;
Download unit 642, right for downloading from the backup file storehouse of described server according to described chained addressThe backup file of answering is to replace described infected file.
Compared with existing scheme, the technique effect that the application obtains: according to the attribute information of infected fileFrom backup file storehouse, inquire about corresponding backup file, directly replace infected file, thereby avoided existing skillFile reparation in art need to be made fail-safe software, and cannot thoroughly repair the defect of infected file.
Those skilled in the art should understand, the application's embodiment can be provided as method, system or meterCalculation machine program product. Therefore, the application can adopt complete hardware implementation example, completely implement software example or knotClose the form of the embodiment of software and hardware aspect. And the application can adopt at one or more wherein bagsThe computer-usable storage medium that contains computer usable program code (include but not limited to magnetic disc store,CD-ROM, optical memory etc.) form of the upper computer program of implementing.
Above-mentioned explanation illustrates and has described some preferred embodiments of the application, but as previously mentioned, is to be understood thatThe application is not limited to disclosed form herein, should not regard the eliminating to other embodiment as, and canFor various other combinations, amendment and environment, and can be in invention contemplated scope described herein, by upperStating technology or the knowledge of instruction or association area changes. And the change that those skilled in the art carry out and variationDo not depart from the application's spirit and scope, all should be in the protection domain of the application's claims.