CN102982284A - Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing - Google Patents

Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing Download PDF

Info

Publication number
CN102982284A
CN102982284A CN2012105061375A CN201210506137A CN102982284A CN 102982284 A CN102982284 A CN 102982284A CN 2012105061375 A CN2012105061375 A CN 2012105061375A CN 201210506137 A CN201210506137 A CN 201210506137A CN 102982284 A CN102982284 A CN 102982284A
Authority
CN
China
Prior art keywords
program file
scans
indication
client device
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012105061375A
Other languages
Chinese (zh)
Other versions
CN102982284B (en
Inventor
江爱军
刘智锋
孔庆龙
张波
姚彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210506137.5A priority Critical patent/CN102982284B/en
Publication of CN102982284A publication Critical patent/CN102982284A/en
Priority to US14/648,298 priority patent/US9830452B2/en
Priority to PCT/CN2013/088196 priority patent/WO2014082599A1/en
Application granted granted Critical
Publication of CN102982284B publication Critical patent/CN102982284B/en
Priority to US15/823,534 priority patent/US20180082061A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses scanning equipment, cloud management equipment and method and system used for malicious program checking and killing. The cloud management equipment used for the malicious program checking and killing comprises a second transmission interface, a first indicator, a first matcher and a second indicator, wherein the first indicator is configured to generate a first scanning content indication according to the characteristics of a new malicious program and system environment information transmitted by client equipment; the first matcher is configured to obtain characteristic data of an unknown program file through the second transmission interface and perform matching in characteristic data recording of the known malicious program according to the characteristic data, wherein the unknown program file is transmitted by the client equipment; and the second indicator is configured to generate a second scanning content indication when the first matcher fails to match up the known recording, wherein the second scanning content indication refers to the scanning of the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and the second scanning content indication is transmitted to the client equipment through the second transmission interface.

Description

The scanning device, high in the clouds management equipment and the method and system that are used for the rogue program killing
Technical field
The present invention relates to the network information security technology field, be specifically related to a kind of scanning for the rogue program killing, high in the clouds management equipment and method and system.
Background technology
Existing rogue program checking and killing method, mostly scanned according to built-in scanning position by local engine, the features such as MD5 of the unknown program file of local None-identified are sent to cloud server, the program file feature that is sent according to client by cloud server is compared and is determined whether rogue program, if rogue program client terminal local engine is again according to the removing logic cleaning rogue program of built in client this locality.Yet in rogue program and the perfervid lasting antagonism of fail-safe software, thereby the point that the rogue program author always finds the new available point of operating system and fail-safe software to ignore is walked around detection and the killing of fail-safe software.After this moment, security firm took the sample of rogue program, usually need to revise the new rogue program of local engine ability killing, from take sample to manual analysis then redaction engine program document upgrading to all clients, in the meantime rogue program large tracts of land propagate.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of overcome the problems referred to above or the scanning device that is used for the rogue program killing that addresses the above problem at least in part and corresponding scan method are provided, and the high in the clouds management equipment and the corresponding high in the clouds management method that are used for the rogue program killing, and a kind of rogue program scanning system and scan method based on cloud security.
According to one aspect of the present invention, a kind of scanning device for the rogue program killing is provided, comprising: the first transmission interface, be configured to server end device transmission information, and the information of reception server end device transmission; The environmental information reader is configured to read the current system environmental information of client device, and transfers to server end equipment by the first transmission interface; The first scanner, be configured to obtain the first scans content indication that server end equipment is judged based on system environmental information at least by the first transmission interface, and the assigned address in the first scans content indication scanned, and the characteristic of the unknown program file that obtains to major general's scanning transfers to server end equipment by the first transmission interface; And second scanner, be configured to obtain by the first transmission interface the second scans content indication of server end device transmission, the indication of the second scans content comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans, and indication scans according to the second scans content.
According to a further aspect in the invention, provide and planted the high in the clouds management equipment that is used for the rogue program killing, having comprised: the second transmission interface, be configured to the client device transmission information, and the information that receives the client device transmission; The first indicator, be configured to generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, the indication of the first scans content comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and by the second transmission interface the indication of the first scans content is transferred to client device; The first adaptation is configured to obtain by the second transmission interface the characteristic of the unknown program file of client device transmission, and mates in known rogue program characteristic record accordingly; And second indicator, be configured to when the first adaptation fails to match known record, generate the indication of the second scans content, the indication of the second scans content comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans, and transfers to client device by the second transmission interface.
According to another aspect of the invention, provide a kind of rogue program scanning system based on cloud security, comprised arbitrary scanning device for the rogue program killing as above, and arbitrary high in the clouds management equipment for the rogue program killing as above.
According to another aspect of the invention, a kind of high in the clouds management method for the rogue program killing is provided, comprise: generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, the indication of the first scans content comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and the indication of the first scans content is transferred to client device; Obtain the characteristic of the unknown program file of client device transmission, and in known rogue program killing database, mate accordingly; And when failing to match known record according to the characteristic of unknown program file, generate the indication of the second scans content, the indication of the second scans content comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans, and the indication of the second scans content is transferred to client device.
According to another aspect of the invention, provide a kind of rogue program scan method based on cloud security, comprising: client device reads current system environmental information, and transfers to server end equipment; Server end equipment generates the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, the indication of the first scans content comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and the indication of the first scans content is transferred to client device; Client device scans according to the first scans content indication, and the characteristic of the unknown program file that obtains to major general's scanning transfers to server end equipment; Server end equipment mates in known rogue program killing database according to the characteristic of unknown program file; When failing to match known record according to the characteristic of unknown program file, server end equipment generates the indication of the second scans content, the indication of the second scans content comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans, and the indication of the second scans content is transferred to client device; Indication scans client device according to the second scans content.
Can find out according to embodiment provided by the invention, only passing through the essential characteristic data of unknown program file (such as filename, MD5, SHA1 or other features of calculating according to file content etc.) in the time of can't determining whether rogue program or can't find accurately recovery scenario, can be again by requiring client device further to scan the signature of unknown program file, the attribute of the context environmental of the specified attribute such as version and/or unknown program file is done further judgement, can't determine whether safe unknown program file thereby can judge more accurately client oneself.Owing to adopt this scheme, cloud server in time issues the Extraordinary scans content, and according to the attribute of the attribute of program file and place context environmental thereof from server end Dynamic Acquisition checking and killing method, avoided to detect and to remove newborn rogue program by upgrade local feature database and engine program, thereby accelerated the blow speed to newborn rogue program, contained that effectively it spreads fast.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 shows according to an embodiment of the invention the rogue program scanning system based on cloud security;
Fig. 2 shows according to an embodiment of the invention the rogue program scan method process flow diagram based on cloud security; And
Fig. 3 shows the rogue program checking and killing method process flow diagram based on cloud security of another embodiment according to the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
The embodiment of the invention can be applied to computer system/server, and it can be with numerous other universal or special computingasystem environment or configuration operation.The example that is suitable for well-known computing system, environment and/or the configuration used with computer system/server includes but not limited to: personal computer system, server computer system, thin client, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, NetPC Network PC, Xiao type Ji calculate machine Xi Tong ﹑ large computer system and comprise the distributed cloud computing technology environment of above-mentioned any system, etc.
Computer system/server can be described under the general linguistic context of the computer system executable instruction (such as program module) of being carried out by computer system.Usually, program module can comprise routine, program, target program, assembly, logic, data structure etc., and they are carried out specific task or realize specific abstract data type.Computer system/server can be implemented in distributed cloud computing environment, and in the distributed cloud computing environment, task is by carrying out by the teleprocessing equipment of communication network link.In distributed cloud computing environment, program module can be positioned on the Local or Remote computing system storage medium that comprises memory device.
See also Fig. 1, it shows according to an embodiment of the invention the rogue program scanning system based on cloud security, comprise the scanning device 110 for the rogue program killing, and the high in the clouds management equipment 210 that is used for the rogue program killing, wherein, scanning device 110 can be arranged at client, in client device 100, high in the clouds management equipment 210 can be arranged at server end, in server end equipment 200.Scanning device 110 can communicate with high in the clouds management equipment 210, and particularly, the first transmission interface 112 in the scanning device 110 can be to server end equipment 200 transmission informations, and the information of reception server end equipment 200 transmission; The second transmission interface 218 of high in the clouds management equipment can be to client device 100 transmission informations, and the information that receives client device 100 transmission.Wherein, scanning device 110 can comprise environmental information reader 112, the first scanner 114, the second scanner 116 and the first transmission interface 118.High in the clouds management equipment 210 can comprise the first indicator 212, the first adaptation 214, the second indicator 216 and the second transmission interface 218.
At first, environmental information reader 112 reads the current system environmental information of client device 100, and transfers to the second transmission interface 218 of server end equipment 200 by the first transmission interface 118.Client device 100 current environmental system information can comprise a lot, such as in version information, system mend mount message, software installation information, drive installation information and the information such as active process and information on services of operating system any one or multiple.Wherein, operating system has a variety of, such as windows 98, windows2003, windows XP and Windows Vista etc., the version information that different operating system is corresponding is also different, therefore by the version information of operating system, what server end equipment 200 just can be known client device 100 current operations is the operating system of which kind of concrete version.Active process is the process of moving in the system, can be by calling corresponding API (Application Programming Interface, application programming interface) multiple means such as function inquires the various progress informations that ought move in system, and the relevant identifier of process, user name, the cpu occupancy, memory usage, descriptor etc.After the local engine of client device 100 initialization and network environment, environmental information reader 112 just can read current system environmental information, and transfers to server device 200.
The second transmission interface 218 that is arranged in the high in the clouds management equipment 210 of server end equipment 200 receives after the current system environmental information of client device 100, be transferred to the first indicator 212, and then the first indicator 212 generates the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device 100 transmission.Wherein, the characteristic of newborn rogue program can have a variety of, the characteristic information that the newborn rogue program that goes out such as the Analysis on Epidemic Trend according to up-to-date rogue program utilizes ad-hoc location to hide and/or attack, usually the position that utilizes such as newborn rogue program is such as the installation directory of the installation directory of certain game, popular software, some specific registry entry etc.And then, server end equipment 200 can be according to hiding and/or the attack position that newborn rogue program utilizes usually, in conjunction with the current system environmental information that client device reports, just can provide for this client device Extraordinary scans content indication i.e. the first scans content indication.Find that such as the software installation information that reports by client device 100 this client device 100 installed certain Games Software, and know that according to the characteristic of newborn rogue program current a lot of rogue program all is to utilize the installation directory of this Games Software to hide or the malice alternate file, then server end equipment 200 will require the content under client device 100 these game installation directories of scanning in the indication of the first scans content, in order to find unknown program file suspicious in this client device 100.Can find out, because the characteristic of the newborn rogue program that the first scans content indication is not only grasped according to server end, also will be in conjunction with the concrete system environmental information of client device 100, therefore the indication of the first scans content is Extraordinary, targetedly, the first scans content that issues for different client device 100 is indicated different often.
In the indication of the first scans content, comprise at least the characteristic that the content of assigned address is scanned and require to inform the unknown program file that scans, particularly, the first scans content indication can be one section text or the script that generates according to the characteristic of newborn rogue program and client device 100 current system environmental information, namely can inform by this indication client device 100 needs which content of scanning, and report which scanning result.
Should be noted in the discussion above that the indication of the first scans content can be no-strings indication, also can be conditional indication.If conditional indication, then only when satisfying prerequisite, just indication scans the scanning device 110 in the client device 100 according to the first scans content.The first scanning indication can incident have a lot, and such as including but not limited in the following content one or more: whether specified file exists, whether assigned catalogue exists, whether the attribute of program file satisfies specified requirements (whether be designated value such as eap-message digest MD5), specify registry key whether to exist, specify the registration table key assignments whether to exist, whether the content of registry key satisfies specified requirements, whether the content of registration table key assignments satisfies specified requirements (such as whether comprising or equaling specific character string or certain value), whether the appointment process exists, whether specified services exists and whether specified services satisfies the condition of appointment (such as whether being specific service name, specific service describing or specific display Name) etc.
Server end is just indicated this first scans content by the second transmission interface 218 and is transferred to the first transmission interface 118 in the client device 100 after the first indicator 212 generates the indication of the first scans content.
Then, be arranged in the first transmission interface 118 of the scanning device 110 of client device 100, the first scanner 114 is informed in server end equipment 200 the first scans content indication that judgement obtains based on system environmental information at least that receives.And then the assigned address in 114 pairs of the first scans content indications of the first scanner scans.The front is mentioned, and the indication of the first scans content can be conditional indication, perhaps is called the condition of scanning, and the first scanner 114 need to judge whether first to satisfy the first scans content and indicate the incidental condition of scanning so, such as above-mentioned those optional conditioies.When the first scanner 114 is judged satisfied the first scans content incident, just the assigned address in the indication of the first scans content is scanned.Certainly, if the indication of the first scans content is not conditional indication, then the first scanner 114 just need not to judge first, and directly the scanning position scanning according to the first scans content indicating gets final product.
Optionally, the first scanner 114 carries out in client device 100 the Extraordinary scanning except indicating according to the first scans content, and the first scanner 114 can also carry out conventional sweep to the built-in scanning position of client device 100 local engines.
After finishing scanning, the first scanner 114 will find the unknown program file, then extract the characteristic of unknown program file, characteristic can have a variety of, such as in the following information one or more: the data that all or part of key content (namely extracting a part of content from file) of unknown program file is calculated according to specific algorithm (such as MD5, SHA1 or other algorithms) and filename etc.These characteristics of program file, can be understood as is the base attribute information of program file.The first scanner 114 just transfers to the second transmission interface 218 in the server end equipment 200 with the characteristic of unknown program file by the first transmission interface 118 after the characteristic that obtains the unknown program file.
And then, the second transmission interface 218 of server end offers the first adaptation 214 with the characteristic of the unknown program file received, the first adaptation 214 mates in known rogue program killing database accordingly, in this database, record some characteristic informations of rogue program, can record the decision logic that determines whether rogue program in addition, and possible checking and killing method (as repairing logic) etc.Wherein, the feature of rogue program can comprise a lot of information, such as the attribute information of the files such as the summary of filename, program file, file size, signing messages, version information, can also comprise for another example enable position in file place catalogue, the registration table, with the context environmental attribute of the attribute supervisor file of alternative document under the catalogue or under the assigned catalogue.Because existing rogue program more complicated, often can't accurately determine whether rogue program by one or two feature merely, need comprehensively to judge according to various features in a lot of situations, thisly comprehensively judge that whether the unknown program file is that the logic of rogue program is exactly aforesaid decision logic.Checking and killing method includes but not limited to scanning/judgement and repairs operation.Because ability, the renewal speed of the memory space of server end, operand and collection rogue program characteristic information all are better than client far away, therefore, when the unknown program file that client device 100 can't be judged according to local engine, server end equipment 200 just can judge according to known database.
The match is successful if the first adaptation 214 is in known rogue program killing database, can judge namely whether this unknown program file is rogue program, optionally, some situation can also match corresponding reparation logic, then the reparation logic of judged result and correspondence can be fed back to the first transmission interface 118 of client device 100 by the second transmission interface 218.Optionally, client device 100 also comprises the killing device, the first transmission interface 118 in the client device 100 is judged the judged result whether it is rogue program with server end equipment 200 based on the feature of unknown program file and is repaired logic and inform the killing device, and the killing device is carried out corresponding operation.Such as, if judged result finds that this unknown program file is rogue program, then the killing device carries out repair process according to the reparation logic that server end equipment 200 returns to the unknown program file.It is given content, deletion appointing system service entry, reparation/deletion designated program file etc. that repair process includes but not limited to delete the registry key/value, edit the registry key of appointment/be worth.
Specific to repairing the designated program file, the file type difference of then repairing as required has multiple recovery scenario.Such as, what some need to be repaired is system file, and some is the program file of popular software, and some is general file.The ultimate principle of repairing these program files is similar, usually all be that server end is according to some attribute informations of the program file of client needs reparation, mate in the database beyond the clouds, search the program file of the uninfecting virus whether coupling is arranged, if have, just offer client and replace, thereby finish reparation.Different files can arrange different matching conditions according to actual needs when concrete coupling, such as if system file, various attribute informations (such as file name, version information etc.) that can demand file are all consistent, calculate just that the match is successful, namely successfully find the alternate file for reparation; And for nonsystematic generic-document, if what store in the database of high in the clouds is basic version or Standard Edition, can think also that then the match is successful.In addition, even if be equally system file, perhaps be nonsystematic generic-document equally, also can different matching conditions be set according to actual application environment difference, requirement difference or the operating system difference of file.Such as, possible certain system file just needs the various attributes such as file name, version information to calculate just unanimously all that the match is successful, but another kind of system file, only need that file name is consistent, version is basic version or Standard Edition, just can think that the match is successful.
The below gives a kind of popular software again and is example by wooden horse destruction, describes in detail in the repair process and how program file is replaced.For example, after wooden horse had destroyed the program file of certain popular software, the information of original program file was unavailable.Server end equipment 200 is by the information of relevant this software of providing before the client device 100 in this case, such as dbase, version, the version of program file, catalogue etc., which alternate file just can know to provide for client device 100, and then according to file name, the information such as version are mated in the database beyond the clouds, the alternate file of finding out uninfecting virus and coupling offers client device 100, then client device 100 uninfecting virus that server end equipment 200 is provided, the program file consistent with the machine replaced original destroyed program file and got final product.
The match is successful if the first adaptation 214 is failed in known rogue program killing database, namely can't accurately mate according to the characteristic of unknown program file, then can notify the second indicator 216, and then second essential information that provides according to the characteristic of unknown program file of indicator 216 and the characteristic of known newborn rogue program, continue to generate the indication of the second scans content.Because known the base attribute information such as characteristic of unknown program file by the first indicator, and then in conjunction with the characteristic of current rogue program, such as this class unknown program file if rogue program, generally also having which characteristic, may not be that alternative document attribute under create name, this unknown program file place catalogue or the associative directory may be to specify attribute etc. such as the signing messages of this unknown program file.
Particularly, the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans.For example, the indication of the second scans content can only require the specified attribute of client device 100 scanning unknown program files and report, also can only require client device 100 scanning unknown program files context environmental specified attribute and report, can also require client device 100 that the specified attribute of other specified attribute and context environmental is reported in the lump.
The specified attribute that should be noted that the unknown program file includes but not limited to one or more in the following information: characteristic, file size, level of security, signing messages and version information etc.Need to prove, although reported this base attribute of characteristic of unknown program file behind the first scans content beacon scanning of client device 100 according to server end before this, but being connected with server end equipment owing to client device 100 may not be long the connection, therefore when subsequent client equipment 100 reports the specified attribute information of unknown program file after according to server end the second scans content beacon scanning, might also need again the essential informations such as characteristic of unknown program file are reported once again.So in the indication of the second scans content, the existing requirement of possibility scans and reports the content of other specified attribute beyond the unknown program file characteristic data, has again requirement to scan and report the content of unknown program file characteristic data.Certainly, if between client device 100 and the server end equipment 200 be long the connection, can not require that client device 100 reports the essential informations such as characteristic of the unknown program file that once once reported again in the indication of the second scans content so yet.Level of security includes but not limited to malice (namely belonging to blacklist), safety (namely belonging to white list, credible), unknown and suspicious etc.The attribute of the context environmental of unknown program file includes but not limited to one or more in the following information: the information of unknown program file place catalogue, specify the registration table key assignments information, with described program file with the attribute information of the alternative document under catalogue or the assigned catalogue and specify running state of a process etc.
The second indicator 216 transfer to the first transmission interface 118 in the client device 100 by the second transmission interface 218, and then the first transmission interface 118 is notified the second scanner 116 with the indication of the second scans content again after generating the indication of the second scans content.Indication scans the specified attribute information of unknown program file and/or the attribute information of context environmental the second scanner 116 according to the second scans content again, at last scanning result is transferred to the second transmission interface 218 of server end equipment 200.
In one embodiment of the invention, the scanning result that the second scanner 116 that the second transmission interface 218 will receive provides is informed the second indicator 216 again, and then second indicator 216 in known rogue program killing database, analyse and compare accordingly, the particular content of appearing rogue program killing database has been given in the front, hence one can see that, because the scanning result of the unknown program file that this client device 100 provides has comprised more information, such as the signing messages that has comprised the unknown program file, level of security, other attributes such as version information, the various attribute informations that perhaps comprised the context environmental of unknown program file, again or other attributes of unknown program file and the attribute of context environmental all scanned, the second indicator 216 just can be according to these information more fully so, and the characteristic information in the rogue program killing database and decision logic further analyze to judge whether this unknown program file is the rogue program file, is that rogue program can also further be looked into and sees if there is corresponding reparation logic if judge.The reparation logic includes but not limited to one or more in the following logic: the registry key of deletion appointment and/or key assignments, edit the registry key and/or key assignments are given content, deletion appointing system service entry and reparation or deletion designated program file.
And then whether the second indicator 216 is that the judged result of rogue program file transfers to client device 100 by the second transmission interface 218 with the unknown program file.Further, if judged result is rogue program, and can find the reparation logic of coupling in known rogue program killing database, the reparation logic that then also will mate transfers to client device by the second transmission interface 218.
The scanning device 110 of client also comprises first processor, first processor obtains by the first transmission interface 118 whether the unknown program file that the second indicator provides in the server end equipment 200 is the judged result of rogue program file, and processes accordingly according to this judged result.Such as, if judged result is safe program file, then need not carries out killing to the unknown program file again and process; If judged result is rogue program, and the second indicator 216 provides the reparation logic, then can prompting user, and whether the inquiry user repair, and according to this reparation logic the unknown program file carried out repair process after the affirmation that obtains the user.
In another embodiment of the present invention, in order to reduce the communication between client device 100 and the server end equipment 200, the second indicator 216 can also be when informing client device 100 with the indication of the second scans content, decision logic that will be relevant with the indication of the second scans content, even the reparation logic relevant with decision logic sends to client device 100 together.Particularly, because the indication of the second scans content mainly comprises the specified attribute to the context environmental of other specified attribute beyond the characteristic of unknown program file and/or unknown program file and scans, therefore server end can be predicted client device 100 and may obtain which scanning result after according to the second scans content beacon scanning, then can judge which type of scanning result according to rogue program killing database and show that this unknown program file is rogue program, therefore can find out the decision logic relevant with the indication of the second scans content, namely how judge whether rogue program of this unknown program file according to follow-up scanning result.If rogue program, then can also be further according to the reparation logic that whether known rogue program killing database lookup has with above-mentioned the second scans content is indicated, decision logic is relevant.
The scanning device 110 that is in client can also comprise the second processor, the second processor obtains server end the second indicator 216 decision logics relevant with the indication of the second scans content that provide by transmission interface 118, then the scanning result that obtains after according to the second scans content beacon scanning according to this decision logic and the second scanner 116, judge that whether this unknown program file is rogue program, and process accordingly.Such as, if judged result is rogue program for this unknown program file, and the second indicator 216 of server end has also sent the reparation logic relevant with decision logic, in the time of then this reparation logic can being satisfied at the scanning result that the second scanner 116 provides, carry out corresponding repair process according to this reparation logic.Among the particular content of all the other processing and the last embodiment first processor do respective handling similar, repeat no more.Can find out that in this embodiment the second scanner 116 has been uploaded onto the server end equipment with regard to no longer needing with the result after according to the indication of the second scans content the unknown program file being scanned, and gets final product but directly offer the second processor.
Can find out by above-described embodiment, if scanning device 110 includes only environmental information reader 112, the first scanner 114, the second scanner 116 and the first transmission interface, then it is simple rogue program scanning device, if also comprise first processor or the second processor, then this scanning device is the equipment that can finish the rogue program killing in essence, and can be understood as is killing equipment for rogue program.
See also Fig. 2, it shows according to an embodiment of the invention the rogue program scan method process flow diagram based on cloud security.The method comprises a part of flow process that is positioned at client-side, also comprise and be positioned at the distolateral a part of flow process of server, be scan method for the rogue program killing in the flow process of client-side, be high in the clouds management method for the rogue program killing in the distolateral flow process of server.
The method starts from step S210, reads the current system environmental information of client device in S210, and transfers to server end equipment.System environmental information include but not limited in version information, system mend mount message, software installation information, drive installation information and the information such as active process and information on services of operating system any one or multiple.This step can realize that by the environmental information reader 112 in the aforementioned scanning device 110 relevant technology realizes and can with reference to the associated description of aforementioned environmental information reader 112 in each embodiment, repeat no more herein.
Then, server end equipment obtains the system environmental information of client device in step S220, generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, this the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and this first scans content indication is transferred to client device.This step can realize that correlation technique realizes also please refer to the description of the first indicator 212 in aforementioned each embodiment, repeats no more herein by aforementioned the first indicator 212 that is arranged in the high in the clouds management equipment 210 of server end.
Client device is after the first scans content indication that the system environmental information of uploading based on it by step S220 acquisition server end equipment is judged, in step S230, the assigned address in the indication of the first scans content is scanned, and the characteristic of the unknown program file that obtains to major general scanning transfers to server end equipment again, so that server end equipment is further judged accordingly.This step can be by being arranged in client the first scanner 114 of scanning device 110 be achieved, correlation technique realizes also please refer to the description of the first scanner 114 in aforementioned each embodiment, repeats no more herein.
Server end equipment is after the characteristic of the unknown program file that obtains the client device transmission by step S230, characteristic according to the unknown program file in step S240 is mated in known rogue program killing database, judges whether this unknown program file is rogue program.If the match is successful, judging this unknown program file is rogue program, and whether then can also further search has corresponding reparation logic, if having, then can and repair logic with judged result and transfer in the lump client; If do not find corresponding reparation logic, then can only judged result be transferred to client device.This step can realize that correlation technique realizes also please refer to the description of the first adaptation 214 in aforementioned each embodiment, repeats no more herein by aforementioned the first adaptation 214 that is arranged in the high in the clouds management equipment 210 of server end.
If server end equipment can't match known record according to known rogue program killing database, namely can't judge whether rogue program of this unknown program file, then in step S250, generate the indication of the second scans content, the indication of the second scans content comprises that the specified attribute to the context environmental of the specified attribute of unknown program file and/or unknown program file scans, and then transfers to client device with the indication of the second scans content.Can find out why server end equipment also will send the indication of the second scans content to client device, be in order to obtain the relevant information of more unknown program file, to judge in order to do further.This step can realize that correlation technique realizes also please refer to the description of the first indicator 212 in aforementioned each embodiment, repeats no more herein by aforementioned the second indicator 216 that is arranged in the high in the clouds management equipment 210 of server end.
Client device is after obtaining the second scans content indication by step S250, indication scans according to the second scans content in step S260, thereby knows the specified attribute of the context environmental of the specified attribute of unknown program file and/or unknown program file.For example, the specified attribute of unknown program file includes but not limited to one or more in the following information: the characteristic of unknown program file, file size, level of security, signing messages and version information etc.Again for example, the attribute of the context environmental of unknown program file includes but not limited to one or more in the following information: the information of unknown program file place catalogue, the information of the enable position in the registration table, with this program file with the attribute information of the alternative document under catalogue or the assigned catalogue and specify running state of a process etc.
After step S260, in one embodiment of the invention, scanning result after at first client device will scan according to the indication of the second scans content transfers to server end equipment, this step can be carried out by the second scanner 116 among aforementioned each embodiment, the correlation technique feature can referring to the description of these parts, repeat no more herein; And then server end equipment obtains after the scanning result of client device according to the acquisition of the second scans content beacon scanning, further analyse and compare in rogue program killing database according to this scanning result, judge again whether the unknown program file is rogue program, then with judged result (such as malice, safety, the unknown, suspicious) and/or, and the reparation logical transport of this scanning result coupling to client device.Server end is carried out this step and can be carried out by the second indicator 216 in the high in the clouds management equipment 210 among aforementioned each embodiment, and the correlation technique feature can referring to the description of these parts, repeat no more herein.Should be noted in the discussion above that not all judging is to find corresponding reparation logic in the situation of rogue program, so in situation about finding, judged result and repair logic and can transfer to together client device; Do not finding in the situation of repairing logic, can only judged result transferred to client for itself or user's reference; Also only logic is repaired in transmission, because client receives that it is exactly rogue program that the reparation logic namely can be regarded as the unknown program file, otherwise server end equipment can be to the reparation logic of its feedback for this unknown program file.After whether the unknown program file of client device acquisition server end equipment feedback is the judged result of rogue program, just can process accordingly according to this judged result.Such as, by safety prompt function means reminding users such as bullet windows, perhaps after confirming, the user carries out repair process according to repairing logic.Client device is carried out this step and can be carried out by the first processor in the scanning device 110 among aforementioned each embodiment, and the correlation technique feature can referring to the description of these parts, repeat no more herein.
Can find out that from this embodiment subsequent step description client device need to transmit the twice sweep result at least to server end equipment, so that server end equipment makes a decision according to scanning result.In order to reduce the number of communications between client device and the server end equipment, raise the efficiency, can also in another embodiment of the present invention, adopt following flow processing.
In yet another embodiment of the present invention, in abovementioned steps S250, server end equipment is delivered to the client device except generating the second scans content indicating concurrent, server end equipment also obtains the decision logic relevant with the indication of the second scans content and/or repairs logic according to known rogue program killing database, then decision logic and/or reparation logic and the second scans content is indicated to transfer to together client device.This step can be achieved by the second indicator 216 in the high in the clouds management equipment 210 of aforementioned each embodiment, and correlation technique realizes and can with reference to the associated description of these parts, repeat no more herein.Can find out, after step S250, client device has at least received the indication of the second scans content and the decision logic relevant with the indication of the second scans content, also might also receive in the lump and the second scans content indication associated restoration logic, therefore client device is after scanning the acquisition scanning result by step S260 according to the indication of the second scans content, client device just can be according to decision logic and the scanning result relevant with the indication of the second scans content of server end device transmission, judge whether this unknown program file is rogue program, if, further detect server end equipment and whether also transmitted simultaneously the associated restoration logic, if have then continue and according to repairing logic the unknown program file is carried out repair process, registry key and/or key assignments such as the deletion appointment, edit the registry key and/or key assignments are given content, deletion appointing system service entry, and repair or delete designated program file etc.This step can be carried out by the second processor in the scanning device 110 of each embodiment of front, and correlation technique realizes and can with reference to the associated description of aforementioned this step, repeat no more herein.
In yet another embodiment of the present invention, provide a kind of rogue program checking and killing method based on cloud security, seen also process flow diagram shown in Figure 3.
This flow process starts from step S310, the local engine of client initialization and network environment.
Then, execution in step S320, client reading system environmental information sends to server end.
And then, execution in step S330, server end is judged with the condition of the scans content that presets according to the system environmental information of client, the content of needs scanning is sent to client.The content that herein needs to scan just is equivalent to the first scans content indication among aforementioned each embodiment.
Then execution in step S340, the scans content that the scans content that the local engine of client executing is built-in and server end return obtains the feature of unknown program file, such as filename, MD5 or SHA etc.
Then execution in step S350, client device sends to server end to the feature of unknown program file.
After this, execution in step S360, server end is searched in database according to the attribute of the context environmental of the feature of program file and/or program file.
Then enter step S370, judge whether in database, to find matched record, namely whether find corresponding checking and killing method, include but not limited to scanning/acts of determination and repair action.If find matched record, execution in step S380 then; If do not find matched record, execution in step S400 then.
Step S380: server end is back to client to corresponding checking and killing method.Then execution in step S390.
Step S390: client is carried out corresponding actions according to the checking and killing method that server end returns.Then finish.
Step S400: server end judges whether to need further to check other attributes of client unknown program file, unknown program file characteristic other attributes in addition that feed backs such as step S350, and/or the attribute of the context environmental of unknown program file etc.If so, then continue execution in step S410; If not, then directly finish.
Step S410: then the specified attribute of the program file of the inspection conditional capture needs that client is returned according to server end and the attribute of its context environmental send to server end.Then return execution in step S360, until flow process finishes.
In yet another embodiment of the present invention, provided the instantiation of a rogue program killing.For example certain audio-visual software xxxUpdate.exe can load with xxxUpdate.dll under the catalogue; this audio-visual software is the very large software of a installation in China; but the program file of self is not done enough protections and anti-tamper inspection; so rogue program m can utilize these security breaches of this audio-visual software, and xxxUpdate.dll is replaced with rogue program.Adopt detection and the killing step of this programme as follows:
At first, client sends to server end to the filename of xxxUpdate.dll and MD5 value;
Then, server end matches corresponding checking and killing method according to filename and MD5 value, so further send scanning indication (being equivalent to the second scans content indication among aforementioned each embodiment), decision logic and reparation logic to client.Whether wherein, require to check to be whether the level of security of this file is credible in the scanning indication, company's signature title of file is " Beijing xxx company limited "; If indicate the level of security of this file in the decision logic not for credible and company's signature title are not " Beijing xxx company limiteds ", judge that then this document is distorted by rogue program, be rogue program; Point out if scanning result satisfies decision logic in the corresponding reparation logic that judge that this document is rogue program, then corresponding repair action is to forbid that xxxUpdate.exe starts with system, and xxxUpdate.dll is replaced with original document.
At last, client scans this document according to top scans content, and judge according to the decision logic that scanning result and server end provide whether this document is rogue program, if, then rogue program is reported to the user, when removing, carries out user selection the killing action that server end returns, such as repair process.
In another embodiment of the present invention, client device does not report current system environmental information to server end equipment, and then server end also just do not need not generate the indication of the first scans content according to the system environmental information that client device reports, and indication scans according to the first scans content then to allow on the client equipment.The substitute is, client device directly scans according to known scanning logic (such as the scanning logic of local engine or the server end scanning logic of informing before this), then the safe suspicious unknown program file that can't judge whether that directly scanning is obtained reports to server end equipment, remaining processing procedure just with aforementioned each embodiment in describe the same, so repeat no more.
Can find out by aforementioned each embodiment provided by the invention, the embodiment of the invention is when filename, MD5, SHA etc. by suspicious unknown program file only can't determine whether rogue program or can't find accurately recovery scenario, can be again by requiring the attribute that client device further scans the context environmental of other attributes such as signature, version of unknown program file and/or unknown program file to do further judgement, can't determine whether safe unknown program file thereby can judge more accurately client oneself.Owing to adopt this scheme, no matter be that various attribute results that client will further scan send to server and bring in judgement, or server end directly will the decision logic relevant with scanning result, repair logic and send in the lump client, allow it oneself judge, essence all is that cloud server in time issues the Extraordinary scans content, and according to the attribute of the attribute of program file and place context environmental thereof from server end Dynamic Acquisition checking and killing method, avoided to detect and to remove newborn rogue program by upgrade local feature database and engine program, thereby accelerated the blow speed to newborn rogue program, contained that effectively it spreads fast.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be put into practice in the situation of these details not having.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize according to some of the scanning device that is used for the rogue program killing of the embodiment of the invention or high in the clouds management equipment or all some or repertoire of parts.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Herein disclosed is A1, a kind of scanning device for the rogue program killing, comprising: the first transmission interface, be configured to server end device transmission information, and the information that receives described server end device transmission; The environmental information reader is configured to read the current system environmental information of described client device, and transfers to described server end equipment by described the first transmission interface; The first scanner, be configured to obtain the first scans content indication that described server end equipment is judged based on described system environmental information at least by described the first transmission interface, and the assigned address in the indication of described the first scans content scanned, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment by described the first transmission interface; And second scanner, be configured to obtain by described the first transmission interface the second scans content indication of described server end device transmission, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and scans according to described the second scans content indication.A2, according to the described scanning device of A1, the scanning result after described the second scanner also is configured to scan according to the indication of described the second scans content transfers to described server end equipment by described the first transmission interface; Described scanning device also comprises: the first obturator, be configured to obtain the definite reparation logic of scanning result that described server end equipment provides based on described the second scanner by described the first transmission interface, and according to described reparation logic described unknown program file carried out repair process.A3, according to the described scanning device of A1, also comprise: the second obturator, be configured to obtain from the reparation logic relevant with described the second scans content indication server end equipment, that transmit together with described the second scans content indication by described the first transmission interface, when the scanning result of described the second scanner satisfies described reparation logic, described unknown program file is carried out repair process.A4, according to A2 or the described scanning device of A3, described repair process comprises one or more in the following processing mode: the registry key of deletion appointment and/or key assignments, edit the registry key and/or key assignments are given content, deletion appointing system service entry, and repair or deletion designated program file.A5, according to each described scanning device among the A1 to A4, described environmental system information comprises one or more in the following information: the process and the information on services that are moving in the version information of operating system, system mend mount message, software installation information, drive installation information and the system.A6, according to each described scanning device among the A1 to A5: the characteristic of described program file comprises one or more in the following information: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file; The specified attribute of described unknown program file comprises one or more in the following information: characteristic, file size, level of security, signing messages and version information.A7, according to each described scanning device among the A1 to A6, the attribute of the context environmental of described unknown program file comprises one or more in the following information: the information of described unknown program file place catalogue, the information of the enable position in the registration table, with described program file with the attribute information of the alternative document under catalogue or the assigned catalogue, specify running state of a process.
Herein disclosed is B8, a kind of high in the clouds management equipment for the rogue program killing, comprising: the second transmission interface, be configured to the client device transmission information, and the information that receives described client device transmission; The first indicator, be configured to generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and by described the second transmission interface described the first scans content indication is transferred to described client device; The first adaptation is configured to obtain by described the second transmission interface the characteristic of the described unknown program file of described client device transmission, and mates in known rogue program characteristic record accordingly; And second indicator, be configured to when described the first adaptation fails to match known record, generate the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and transfers to described client device by described the second transmission interface.B9, according to the described high in the clouds of B8 management equipment: described the second indicator also is configured to obtain the scanning result that described client device obtains after according to described the second scans content beacon scanning by described the second transmission interface, and judge accordingly whether described unknown program file is rogue program, and judged result is transferred to described client device by described the second transmission interface; Perhaps, described the second indicator also is configured to the decision logic relevant with described the second scans content indication transferred to described client device by described the second transmission interface together, and described decision logic is to judge whether described unknown program file is the logic of rogue program.B10, according to the described high in the clouds of B9 management equipment, described the second indicator also is configured to the scanning result that obtains after according to described the second scans content beacon scanning according to described client device, in known rogue program killing database, mate, if find the reparation logic of mating with described scanning result, then be transferred to client device by described the second transmission interface; Perhaps, described the second indicator also is configured to mate in known rogue program killing database according to described the second scans content indication, and reparation logic and the described second scans content indication relevant with described the second scans content indication that matches transferred to described client device by described the second transmission interface together.B11, according to each described high in the clouds management equipment among the B8 to B10, the characteristic of described newborn rogue program comprises: the characteristic information that newborn rogue program utilizes ad-hoc location to hide and/or attack.B12, according to each described high in the clouds management equipment among the B8 to B11, described the first scans content indication is conditional indication, and described condition comprises one or more in the following content: whether specified file exists, whether assigned catalogue exists, whether the attribute of program file satisfies specified requirements, specify whether registry key exists, specifies whether the registration table key assignments exists, whether the content of registry key satisfies specified requirements, whether the content of registration table key assignments satisfies specified requirements, whether the appointment process exists and whether specified services exists.B13, according to each described high in the clouds management equipment among the B8 to B12, described reparation logic comprises one or more in the following logic: the deletion registry key of appointment and/or key assignments, edit the registry key and/or key assignments are given content, deletion appointing system service entry and reparation or deletion designated program file.B14, according to each described high in the clouds management equipment among the B8 to B13, the characteristic of described unknown program file comprises one or more in the following information: the data, the filename that adopt special algorithm to obtain to all or part of key content of described unknown program file; The specified attribute of described unknown program file comprises one or more in the following information: characteristic, file size, signing messages and version information.B15, according to each described high in the clouds management equipment among the B8 to B14, the attribute of the context environmental of described unknown program file comprises one or more in the following information: the information of the enable position in the information of described unknown program file place catalogue, level of security information, the registration table, with described program file with the attribute information of the alternative document under catalogue or the assigned catalogue, specify running state of a process.
Herein disclosed is C16, a kind of rogue program scanning system based on cloud security, comprise such as each described scanning device for the rogue program killing among the A1 to A7, and such as each described high in the clouds management equipment for the rogue program killing among the B8 to B15.
Herein disclosed is D17, a kind of scan method for the rogue program killing, comprising: read the current system environmental information of client device, and transfer to server end equipment; Obtain the first scans content indication that described server end equipment is judged based on described system environmental information, and the assigned address in the indication of described the first scans content scanned, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment; And the second scans content indication that obtains described server end device transmission, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and scans according to described the second scans content indication.D18, according to the described scan method of D17, also comprise: the scanning result after will scanning according to the indication of described the second scans content transfers to server end equipment; Whether based on this scanning result definite described unknown program file be the judged result of rogue program, and process accordingly according to described judged result if obtaining described server end equipment; Perhaps, obtain the decision logic relevant with described the second scans content indication that described server end equipment is informed, and according to indicating scanning result and described decision logic after scanning to determine that whether described unknown program file is rogue program, and process accordingly according to the second scans content.
Herein disclosed is E19, a kind of high in the clouds management method for the rogue program killing, comprise: generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and described the first scans content indication is transferred to described client device; Obtain the characteristic of the described unknown program file of described client device transmission, and in known rogue program killing database, mate accordingly; And when failing to match known record according to the characteristic of described unknown program file, generate the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and described the second scans content indication is transferred to described client device.E20, according to the described high in the clouds of E19 management method, also comprise: obtain the scanning result that described client device obtains after according to described the second scans content beacon scanning, and judge accordingly whether described unknown program file is rogue program, with judged result and/or with the reparation logical transport of described scanning result coupling to described client device; Perhaps, decision logic and/or reparation logic that will be relevant with described the second scans content indication transfer to described client device with described the second scans content indication.
Herein disclosed is F21, a kind of rogue program scan method based on cloud security, comprising: client device reads current system environmental information, and transfers to server end equipment; Server end equipment generates the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and described the first scans content indication is transferred to described client device; Indication scans described client device according to described the first scans content, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment; Described server end equipment mates in known rogue program killing database according to the characteristic of described unknown program file; When failing to match known record according to the characteristic of described unknown program file, described server end equipment generates the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and described the second scans content indication is transferred to described client device; Described client device scans according to described the second scans content indication.

Claims (20)

1. scanning device that is used for the rogue program killing comprises:
The first transmission interface is configured to server end device transmission information, and the information that receives described server end device transmission;
The environmental information reader is configured to read the current system environmental information of described client device, and transfers to described server end equipment by described the first transmission interface;
The first scanner, be configured to obtain the first scans content indication that described server end equipment is judged based on described system environmental information at least by described the first transmission interface, and the assigned address in the indication of described the first scans content scanned, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment by described the first transmission interface; And
The second scanner, be configured to obtain by described the first transmission interface the second scans content indication of described server end device transmission, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and scans according to described the second scans content indication.
2. the scanning result after scanning device according to claim 1, described the second scanner also are configured to scan according to described the second scans content indication transfers to described server end equipment by described the first transmission interface;
Described scanning device also comprises:
The first obturator is configured to obtain the definite reparation logic of scanning result that described server end equipment provides based on described the second scanner by described the first transmission interface, and according to described reparation logic described unknown program file is carried out repair process.
3. scanning device according to claim 1 also comprises:
The second obturator, be configured to obtain from the reparation logic relevant with described the second scans content indication server end equipment, that transmit together with described the second scans content indication by described the first transmission interface, when the scanning result of described the second scanner satisfies described reparation logic, described unknown program file is carried out repair process.
4. according to claim 2 or 3 described scanning devices, described repair process comprises one or more in the following processing mode:
The registry key of deletion appointment and/or key assignments, edit the registry key and/or key assignments are given content, deletion appointing system service entry, and repair or deletion designated program file.
5. each described scanning device in 4 according to claim 1, described environmental system information comprises one or more in the following information:
The process and the information on services that are moving in the version information of operating system, system mend mount message, software installation information, drive installation information and the system.
6. each described scanning device in 5 according to claim 1:
The characteristic of described program file comprises one or more in the following information: the data, the filename that all or part of key content of described unknown program file are adopted the special algorithm acquisition;
The specified attribute of described unknown program file comprises one or more in the following information: characteristic, file size, level of security, signing messages and version information.
7. each described scanning device in 6 according to claim 1, the attribute of the context environmental of described unknown program file comprises one or more in the following information:
The information of described unknown program file place catalogue, the information of the enable position in the registration table, with described program file with the attribute information of the alternative document under catalogue or the assigned catalogue, specify running state of a process.
8. high in the clouds management equipment that is used for the rogue program killing comprises:
The second transmission interface is configured to the client device transmission information, and the information that receives described client device transmission;
The first indicator, be configured to generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and by described the second transmission interface described the first scans content indication is transferred to described client device;
The first adaptation is configured to obtain by described the second transmission interface the characteristic of the described unknown program file of described client device transmission, and mates in known rogue program characteristic record accordingly; And
The second indicator, be configured to when described the first adaptation fails to match known record, generate the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and transfers to described client device by described the second transmission interface.
9. high in the clouds according to claim 8 management equipment:
Described the second indicator also is configured to obtain the scanning result that described client device obtains after according to described the second scans content beacon scanning by described the second transmission interface, and judge accordingly whether described unknown program file is rogue program, and judged result is transferred to described client device by described the second transmission interface;
Perhaps,
Described the second indicator also is configured to the decision logic relevant with described the second scans content indication transferred to described client device by described the second transmission interface together, and described decision logic is to judge whether described unknown program file is the logic of rogue program.
10. high in the clouds according to claim 9 management equipment,
Described the second indicator also is configured to the scanning result that obtains after according to described the second scans content beacon scanning according to described client device, in known rogue program killing database, mate, if find the reparation logic of mating with described scanning result, then be transferred to client device by described the second transmission interface;
Perhaps,
Described the second indicator also is configured to mate in known rogue program killing database according to described the second scans content indication, and reparation logic and the described second scans content indication relevant with described the second scans content indication that matches transferred to described client device by described the second transmission interface together.
11. each described high in the clouds management equipment in 10 according to claim 8, the characteristic of described newborn rogue program comprises: the characteristic information that newborn rogue program utilizes ad-hoc location to hide and/or attack.
12. each described high in the clouds management equipment in 11 according to claim 8, described the first scans content indication is conditional indication, and described condition comprises one or more in the following content:
Whether specified file exists, whether assigned catalogue exists, whether the attribute of program file satisfies specified requirements, specify whether registry key exists, specifies whether the registration table key assignments exists, whether the content of registry key satisfies specified requirements, whether the content of registration table key assignments satisfies specified requirements, whether the appointment process exists and whether specified services exists.
13. each described high in the clouds management equipment in 12 according to claim 8, described reparation logic comprises one or more in the following logic:
The registry key of deletion appointment and/or key assignments, edit the registry key and/or key assignments are given content, deletion appointing system service entry and reparation or deletion designated program file.
14. each described high in the clouds management equipment in 13 according to claim 8,
The characteristic of described unknown program file comprises one or more in the following information: the data, the filename that all or part of key content of described unknown program file are adopted the special algorithm acquisition;
The specified attribute of described unknown program file comprises one or more in the following information: characteristic, file size, signing messages and version information.
15. each described high in the clouds management equipment in 14 according to claim 8, the attribute of the context environmental of described unknown program file comprises one or more in the following information:
The information of the enable position in the information of described unknown program file place catalogue, level of security information, the registration table, with described program file with the attribute information of the alternative document under catalogue or the assigned catalogue, specify running state of a process.
16. rogue program scanning system based on cloud security, comprise such as each described scanning device for the rogue program killing in the claim 1 to 7, and such as each described high in the clouds management equipment for the rogue program killing in the claim 8 to 15.
17. a scan method that is used for the rogue program killing comprises:
Read the current system environmental information of client device, and transfer to server end equipment;
Obtain the first scans content indication that described server end equipment is judged based on described system environmental information, and the assigned address in the indication of described the first scans content scanned, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment; And
Obtain the second scans content indication of described server end device transmission, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and scans according to described the second scans content indication.
18. scan method according to claim 17 also comprises:
Scanning result after will scanning according to described the second scans content indication transfers to server end equipment; Whether based on this scanning result definite described unknown program file be the judged result of rogue program, and process accordingly according to described judged result if obtaining described server end equipment;
Perhaps,
Obtain the decision logic relevant with described the second scans content indication that described server end equipment is informed, and according to indicating scanning result and described decision logic after scanning to determine that whether described unknown program file is rogue program, and process accordingly according to the second scans content.
19. a high in the clouds management method that is used for the rogue program killing comprises:
Generate the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and described the first scans content indication is transferred to described client device;
Obtain the characteristic of the described unknown program file of described client device transmission, and in known rogue program killing database, mate accordingly; And
When failing to match known record according to the characteristic of described unknown program file, generate the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and described the second scans content indication is transferred to described client device.
20. the rogue program scan method based on cloud security comprises:
Client device reads current system environmental information, and transfers to server end equipment;
Server end equipment generates the indication of the first scans content according to the characteristic of newborn rogue program and the system environmental information of described client device transmission, described the first scans content indication comprises the characteristic that the content of assigned address is scanned and informs the unknown program file that scans at least, and described the first scans content indication is transferred to described client device;
Indication scans described client device according to described the first scans content, and the characteristic of the unknown program file that obtains to major general's scanning transfers to described server end equipment;
Described server end equipment mates in known rogue program killing database according to the characteristic of described unknown program file;
When failing to match known record according to the characteristic of described unknown program file, described server end equipment generates the indication of the second scans content, described the second scans content indication comprises that the specified attribute to the context environmental of the specified attribute of described unknown program file and/or described unknown program file scans, and described the second scans content indication is transferred to described client device;
Described client device scans according to described the second scans content indication.
CN201210506137.5A 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system Active CN102982284B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system
US14/648,298 US9830452B2 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
PCT/CN2013/088196 WO2014082599A1 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
US15/823,534 US20180082061A1 (en) 2012-11-30 2017-11-27 Scanning device, cloud management device, method and system for checking and killing malicious programs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Publications (2)

Publication Number Publication Date
CN102982284A true CN102982284A (en) 2013-03-20
CN102982284B CN102982284B (en) 2016-04-20

Family

ID=47856288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210506137.5A Active CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Country Status (1)

Country Link
CN (1) CN102982284B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390130A (en) * 2013-07-18 2013-11-13 北京奇虎科技有限公司 Rogue program searching and killing method and device based on cloud security as well as server
CN103618626A (en) * 2013-11-28 2014-03-05 北京奇虎科技有限公司 Method and system for generating safety analysis report on basis of logs
WO2014082599A1 (en) * 2012-11-30 2014-06-05 北京奇虎科技有限公司 Scanning device, cloud management device, method and system for checking and killing malicious programs
CN103929323A (en) * 2013-12-16 2014-07-16 汉柏科技有限公司 Health degree monitoring method of cloud network equipment
CN104462975A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program scanning method, device and system
CN104573518A (en) * 2015-01-23 2015-04-29 百度在线网络技术(北京)有限公司 Method, device, server and system for scanning files
CN105335191A (en) * 2015-10-16 2016-02-17 北京金山安全软件有限公司 Method and device for scanning terminal equipment and terminal
CN105429956A (en) * 2015-11-02 2016-03-23 重庆大学 Malicious software detection system based on P2P dynamic cloud and malicious software detection method
WO2016107309A1 (en) * 2014-12-31 2016-07-07 北京奇虎科技有限公司 File scanning method, device and system
CN106557689A (en) * 2015-09-25 2017-04-05 纬创资通股份有限公司 malicious program code analysis method and system, data processing device and electronic device
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device
CN107645483A (en) * 2016-07-22 2018-01-30 阿里巴巴集团控股有限公司 Risk Identification Method, risk identification device, cloud risk identification apparatus and system
CN109829303A (en) * 2018-12-28 2019-05-31 北京奇安信科技有限公司 A kind of Intranet cloud checking and killing method, console and client based on system file
CN110879887A (en) * 2019-11-15 2020-03-13 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for repairing mining trojan program
CN110971575A (en) * 2018-09-29 2020-04-07 北京金山云网络技术有限公司 Malicious request identification method and device, electronic equipment and computer storage medium
CN114115936A (en) * 2021-10-27 2022-03-01 安天科技集团股份有限公司 Method and device for upgrading computer program, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN102750463A (en) * 2011-12-16 2012-10-24 北京安天电子设备有限公司 System and method for improving file rescanning speed
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102750463A (en) * 2011-12-16 2012-10-24 北京安天电子设备有限公司 System and method for improving file rescanning speed
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014082599A1 (en) * 2012-11-30 2014-06-05 北京奇虎科技有限公司 Scanning device, cloud management device, method and system for checking and killing malicious programs
WO2015007224A1 (en) * 2013-07-18 2015-01-22 北京奇虎科技有限公司 Malicious program finding and killing method, device and server based on cloud security
CN103390130A (en) * 2013-07-18 2013-11-13 北京奇虎科技有限公司 Rogue program searching and killing method and device based on cloud security as well as server
US10027704B2 (en) 2013-07-18 2018-07-17 Beijing Qihoo Technology Company Limited Malicious program finding and killing device, method and server based on cloud security
CN103390130B (en) * 2013-07-18 2017-04-05 北京奇虎科技有限公司 Based on the method for the rogue program killing of cloud security, device and server
CN103618626A (en) * 2013-11-28 2014-03-05 北京奇虎科技有限公司 Method and system for generating safety analysis report on basis of logs
CN103929323A (en) * 2013-12-16 2014-07-16 汉柏科技有限公司 Health degree monitoring method of cloud network equipment
CN104462975A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program scanning method, device and system
WO2016107309A1 (en) * 2014-12-31 2016-07-07 北京奇虎科技有限公司 File scanning method, device and system
CN104573518B (en) * 2015-01-23 2019-03-26 百度在线网络技术(北京)有限公司 File scanning method, device, server and system
CN104573518A (en) * 2015-01-23 2015-04-29 百度在线网络技术(北京)有限公司 Method, device, server and system for scanning files
US10599851B2 (en) 2015-09-25 2020-03-24 Wistron Corporation Malicious code analysis method and system, data processing apparatus, and electronic apparatus
CN106557689A (en) * 2015-09-25 2017-04-05 纬创资通股份有限公司 malicious program code analysis method and system, data processing device and electronic device
CN106557689B (en) * 2015-09-25 2019-06-07 纬创资通股份有限公司 Malicious program code analysis method and system, data processing device and electronic device
CN105335191A (en) * 2015-10-16 2016-02-17 北京金山安全软件有限公司 Method and device for scanning terminal equipment and terminal
CN105335191B (en) * 2015-10-16 2019-03-01 珠海豹趣科技有限公司 A kind of method, apparatus and terminal of end of scan equipment
CN105429956B (en) * 2015-11-02 2018-09-25 重庆大学 Malware detection system based on P2P dynamic clouds and method
CN105429956A (en) * 2015-11-02 2016-03-23 重庆大学 Malicious software detection system based on P2P dynamic cloud and malicious software detection method
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN107645483A (en) * 2016-07-22 2018-01-30 阿里巴巴集团控股有限公司 Risk Identification Method, risk identification device, cloud risk identification apparatus and system
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device
US11126716B2 (en) 2016-11-11 2021-09-21 Tencent Technology (Shenzhen) Company Limited System security method and apparatus
CN110971575A (en) * 2018-09-29 2020-04-07 北京金山云网络技术有限公司 Malicious request identification method and device, electronic equipment and computer storage medium
CN109829303A (en) * 2018-12-28 2019-05-31 北京奇安信科技有限公司 A kind of Intranet cloud checking and killing method, console and client based on system file
CN110879887A (en) * 2019-11-15 2020-03-13 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for repairing mining trojan program
CN114115936A (en) * 2021-10-27 2022-03-01 安天科技集团股份有限公司 Method and device for upgrading computer program, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN102982284B (en) 2016-04-20

Similar Documents

Publication Publication Date Title
CN102982284B (en) For the scanning device of rogue program killing, cloud management equipment and method and system
CN103034808B (en) Scan method, equipment and system and cloud management and equipment
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
CN102037471B (en) Centralized scanner database with optimal definition distribution using network queries
Costin et al. A {Large-scale} analysis of the security of embedded firmwares
CN102105884B (en) Streaming malware definition updates
CN101297286B (en) Method for adding equipment driving program
RU2551820C2 (en) Method and apparatus for detecting viruses in file system
US10997307B1 (en) System and method for clustering files and assigning a property based on clustering
CN103281325A (en) Method and device for processing file based on cloud security
CN103679031A (en) File virus immunizing method and device
CN103390130B (en) Based on the method for the rogue program killing of cloud security, device and server
CN102982121B (en) A kind of file scanning method, file scanning device and file detection system
CN102985928A (en) Identifying polymorphic malware
CN103020520A (en) Enterprise-based document security detection method and system
CN103473501A (en) Malware tracking method based on cloud safety
CN105095769A (en) Information service software vulnerability detection method
CN103631678A (en) Backup method, restoring method and device for client software
US20230153435A1 (en) Systems and methods for anti-malware scanning using automatically-created white lists
CN103136477B (en) The scan method of paper sample and system
CN103679027A (en) Searching and killing method and device for kernel level malware
CN103646062A (en) Scanning method and device for downloaded file
US8402544B1 (en) Incremental scanning of computer files for malicious codes
CN103049697A (en) File detection method and system for enterprises
CN103678706A (en) Picture recognition method, system, equipment and device based on screenshot information

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220801

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.