CN103020521B - Wooden horse scan method and system - Google Patents

Wooden horse scan method and system Download PDF

Info

Publication number
CN103020521B
CN103020521B CN201110283980.7A CN201110283980A CN103020521B CN 103020521 B CN103020521 B CN 103020521B CN 201110283980 A CN201110283980 A CN 201110283980A CN 103020521 B CN103020521 B CN 103020521B
Authority
CN
China
Prior art keywords
file
scanned
attribute information
property value
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110283980.7A
Other languages
Chinese (zh)
Other versions
CN103020521A (en
Inventor
彭宁
宋爱元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201110283980.7A priority Critical patent/CN103020521B/en
Publication of CN103020521A publication Critical patent/CN103020521A/en
Application granted granted Critical
Publication of CN103020521B publication Critical patent/CN103020521B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A kind of wooden horse scan method comprises the steps: to obtain file to be scanned; The attribute information of file to be scanned is extracted one by one from the file to be scanned obtained; The attribute information of extraction and the attribute information of storage are compared, judges that whether the attribute information of file to be scanned is identical with the attribute information of storage, if not, then the file to be scanned that scanning is corresponding with the attribute information extracted.In above-mentioned wooden horse scan method and system when the attribute information of file to be scanned is not identical with the attribute information prestored, safety scanning is carried out to this file to be scanned, to determine whether to be designated normal condition, not identical with the attribute information prestored to attribute information file to be scanned carries out safety scanning, the probability that the file to be scanned that attribute information is identical with the attribute information prestored is not modified is very large, therefore, the quantity of documents carrying out scanning is needed to greatly reduce, reduce resource cost neatly, and ensure that the security of file, promote file scan speed.

Description

Wooden horse scan method and system
[technical field]
The present invention relates to data processing technique, particularly relate to a kind of wooden horse scan method and system.
[background technology]
In order to maintaining system safety, realize the safety scanning of file often through operation antivirus software, identify the apocrypha of impact safety.User also irregularly or termly again can carry out safety scanning after completing once safety scanning.
In the repeatedly safety scanning that user carries out result of determination be normal file still can there occurs change with other file together with enter safety scanning next time, such as, the feature identification decision that antivirus software runs through file in a computer goes out normal file and apocrypha, and processes apocrypha; In the upper once operation of antivirus software, also can the file having carried out the operation such as interpolation, amendment in these normal files and computing machine be scanned.Safety scanning all complicated processes each time, consume a large amount of system resource and time resource, if and for normal file, there is no the situation that is modified or any change do not occur, can not be judged to be that normal file becomes apocrypha from last scanning result.
In the file of scanning, most of file is all normal file, apocrypha is only the minority data file in all scanning documents, constantly multiple scanning normal file in repeatedly safety scanning process, and the file that actual needs carries out safety scanning is only limitted to there occurs the file revised or change in fact, therefore for improving sweep velocity, only the file that there occurs amendment or change is scanned in the process of safety scanning, traditional implementation is by USN (Update Service Number Journalor Change Journal in new technology file system, be called for short renewal sequence number) all changes of log recording NTFS subregion file, before the safety scanning of carrying out file, know which file there occurs change by inquiry USN daily record, and then scan the file that these there occurs change.
But this traditional implementation can not be used in other file system except new technology file system, lack dirigibility.
[summary of the invention]
Based on this, be necessary to provide a kind of wooden horse scan method that can reduce resource cost neatly.
In addition, there is a need to provide a kind of wooden horse scanning system that can reduce resource cost neatly.
A kind of wooden horse scan method, comprises the steps:
Obtain file to be scanned;
The attribute information of file to be scanned is extracted one by one from the file to be scanned of described acquisition;
The attribute information of described extraction and the attribute information of storage are compared, judges that whether the attribute information of described extraction is identical with the attribute information of storage, if not, then the file to be scanned that scanning is corresponding with described extraction attribute information;
The attribute information of described storage is the attribute information corresponding to file being designated normal condition in last wooden horse scanning result.
Preferably, also comprise after the described step that the attribute information of described extraction and the attribute information of storage are compared:
When the attribute information of the attribute information with storage that determine described extraction is identical, from the file to be scanned of described acquisition, remove the to be scanned file corresponding with the attribute information of described extraction.
Preferably, also comprise before the described step that the attribute information of described extraction and the information of storage are compared:
Obtain wooden horse scanning result;
The file being designated normal condition is extracted from described wooden horse scanning result;
Be designated the attribute information corresponding to file of normal condition described in obtaining one by one, and store.
Preferably, the step of described storage is:
Buffer memory each be designated the attribute information corresponding to file of normal condition.
Preferably, described attribute information is property value, the attribute information that described property value unique identification is corresponding; Also comprise before the described step that the attribute information of described extraction and the attribute information of storage are compared:
Property value corresponding to described file to be scanned is calculated to the attribute information of described extraction;
The attribute information calculating the file of described acquisition obtains the property value corresponding to file of described acquisition.
Preferably, the described attribute information to described extraction also comprises after calculating the step of property value corresponding to described file to be scanned:
From the attribute information of described extraction, extract the file path name of file to be scanned, and informative abstract value corresponding to described file to be scanned is calculated to file path name;
The attribute information of the file of the described acquisition of described calculating also comprises after obtaining the step of the property value corresponding to file of described acquisition:
Extraction document pathname from the attribute information of the file of described acquisition, and the informative abstract value corresponding to file described file path name being calculated to described acquisition;
Corresponding relation between property value corresponding to the file setting up described informative abstract value and described acquisition for index with the informative abstract value corresponding to the file of described acquisition, and store described corresponding relation.
Preferably, describedly by the step that the described attribute information of file to be scanned and the attribute information of storage are compared be:
Inquire about the informative abstract value of described storage, the informative abstract value that described inquiry the obtains informative abstract value corresponding with described file to be scanned is identical;
The property value that there is the storage of corresponding relation with the informative abstract value inquired is obtained from the corresponding relation stored;
Judge that whether the property value that file to be scanned is corresponding is identical with the property value of storage, if not, then enter the step of the described scanning to be scanned file corresponding with the attribute information of described extraction, if so, then enter the described step removing described file to be scanned from the file to be scanned of described acquisition.
A kind of wooden horse scanning system, comprising:
File enumeration module, for obtaining file to be scanned;
Data obtaining module, for extracting the attribute information of file to be scanned one by one from the file to be scanned of described acquisition;
Comparing module, for the attribute information of described extraction and the attribute information of storage being compared, judges that whether the attribute information of described extraction is identical with the attribute information of storage, if not, then notifies scan module;
Described scan module is for scanning the to be scanned file corresponding with described attribute information;
The attribute information of described storage is the attribute information corresponding to file being designated normal condition in last wooden horse scanning result.
Preferably, also comprise:
File removes module, for when the attribute information of the attribute information with storage that determine described extraction is identical, from the file to be scanned of described acquisition, removes the to be scanned file corresponding with the attribute information of described extraction.
Preferably, also comprise:
Result acquisition module, for obtaining wooden horse scanning result;
Extraction module, for extracting the file being designated normal condition from wooden horse scanning result;
Described data obtaining module also for be designated normal condition described in obtaining one by one file corresponding to attribute information, and to store.
Preferably, also for buffer memory, each is designated the attribute information corresponding to the file of normal condition to described data obtaining module.
Preferably, described attribute information is property value, the attribute information that described property value unique identification is corresponding, and described system also comprises:
Property value computing module, for calculating property value corresponding to described file to be scanned to the attribute information of described extraction, and the attribute information calculating the file of described acquisition obtains the property value corresponding to file of described acquisition.
Preferably, also comprise:
Digest value computing module, for extracting the file path name of file to be scanned in the attribute information from described extraction, and calculates informative abstract value corresponding to described file to be scanned to the file path name of described file to be scanned;
Described digest value computing module also for extraction document pathname in the attribute information of the file from described acquisition, and calculates the informative abstract value corresponding to file of described acquisition to described file path name;
Relation sets up module, for set up described informative abstract value and described acquisition with the informative abstract value corresponding to the file of described acquisition for index file corresponding to property value between corresponding relation, and store described corresponding relation.
Preferably, described comparing module comprises:
Query unit, for inquiring about the informative abstract value of described storage, the informative abstract value that described inquiry the obtains informative abstract value corresponding with described file to be scanned is identical;
Property value comparing unit, for obtaining the property value that there is the storage of corresponding relation with the informative abstract value inquired from the corresponding relation stored;
Judging unit, whether identical with the property value of storage for judging the property value that file to be scanned is corresponding, if not, then notify described scan module, if so, then notify that described file removes module.
In above-mentioned wooden horse scan method and system, when the attribute information of file to be scanned is not identical with the attribute information prestored, safety scanning is carried out to this file to be scanned, to judge whether this file to be scanned is designated normal condition, not identical with the attribute information prestored to attribute information file to be scanned carries out safety scanning, the probability be not modified due to the file to be scanned that attribute information is identical with the attribute information prestored is very large, therefore, the file to be scanned carrying out safety scanning greatly reduces, reduce resource cost neatly, and also ensure that the security of file, promote file scan speed.
In above-mentioned wooden horse scan method and system, attribute information is the property value calculated according to attribute information, and compared with the attribute information containing much information, property value is a string character, can avoid storing the excessive problem of data to occur in the process stored, reduce the resource taken.
In above-mentioned wooden horse scan method and system, for the file being designated normal condition in wooden horse scanning result, carry out calculating corresponding informative abstract value according to the file path name in attribute information, and with informative abstract value for corresponding relation between informative abstract value and property value set up in index, effectively can improve the inquiry to the property value stored, comparison speed, and then improve file scan speed.
[accompanying drawing explanation]
Fig. 1 is the process flow diagram of wooden horse scan method in an embodiment;
Fig. 2 is the process flow diagram of wooden horse scan method in another embodiment;
Fig. 3 is the process flow diagram of wooden horse scan method in another embodiment;
Fig. 4 is the structural representation of wooden horse scanning system in an embodiment;
Fig. 5 is the structural representation of wooden horse scanning system in another embodiment;
Fig. 6 is the structural representation of wooden horse scanning system in another embodiment;
Fig. 7 is the structural representation of wooden horse scanning system in another embodiment;
Fig. 8 is the structural representation of comparing module in Fig. 7.
[embodiment]
Fig. 1 shows the method flow of an embodiment file scanning, comprises the steps:
Step S110, obtains file to be scanned.
In the present embodiment, after the scanning engine opening checking and killing virus software or wooden horse killing software, obtain the file needing to carry out scanning in the operation of the sweep limit of killing interface select File according to user, these files are as file to be scanned.In the process obtaining file to be scanned, be easy in the process run for making file scan safeguard, according to the sweep limit of user's select File operation by multiple file to be scanned according to the queue length of setting carry out enumerating form length-specific enumerate queue, with etc. to be scanned.
Step S130, extracts the attribute information of file to be scanned one by one from the file to be scanned obtained.
In the present embodiment, in the file to be scanned got, extract the attribute information of each file to be scanned.Particularly, attribute information includes the information such as file path name, file generated time, filemodetime, file size and document identification number.Can find out whether file to be scanned has been implemented retouching operation by attribute information.
In the application process of reality, the information comprised in attribute information may be diversified, such as, for reducing data volume, attribute information can only comprise the file generated time, filemodetime and file size, also can know whether corresponding file to be scanned has been implemented retouching operation by this attribute information, but, this attribute information may be higher by the probability that trojan horse program utilizes, because trojan horse program is after have modified file, file generated time and filemodetime are revised as original file generated time and filemodetime, cause the illusion that file is not modified, and the attribute information containing document identification number is owing to being that operating system carries out distributing, implementation modification operation comparatively difficulty, therefore, in a preferred embodiment, attribute information includes file path name, file generated time, filemodetime, file size and document identification number etc., the possibility that the attribute information containing document identification number is revised by trojan horse program is lower, and file path name is conducive to optimizing follow-up processing procedure.
Step S150, compares the attribute information of extraction and the attribute information of storage, judges that whether the attribute information extracted is identical with the attribute information of storage, if not, then enters step S170, if so, then enter step S190.
In the present embodiment, the attribute information of storage is the attribute information corresponding to file being designated normal condition in last wooden horse scanning result.The attribute information of the file to be scanned extracted and the attribute information prestored are carried out comparison one by one, whether identical with a certain attribute information stored to judge the attribute information of file to be scanned; When the attribute information of the file to be scanned determining extraction is identical with a certain attribute information of storage, illustrate that file to be scanned did not carry out any amendment from last time scanning, therefore can determine that now this file to be scanned is safe, does not need again to scan; When the attribute information of the file to be scanned determining extraction is all not identical with all properties information of storage, illustrate that this file to be scanned there occurs change, may be revised by trojan horse program, therefore, need to scan this file to be scanned, to judge the security of this file to be scanned.
In addition, if above-mentioned file scan process is for scan first, or the file to be scanned obtained scans first, then there is not the attribute information prestored corresponding with it, now, directly should carry out wooden horse scanning to this file to be scanned, and store the attribute information corresponding to file being designated normal condition in the wooden horse scanning result obtained.
Step S170, scans the to be scanned file corresponding with the attribute information extracted.
In the present embodiment, trigger sweep engine scans the file to be scanned that attribute information there occurs change, judge whether there is trojan horse program in this file according to the scanning result obtained, if know that this file is designated normal condition according to scanning result, it is safe file, then the attribute information of correspondence is stored, for the comparison treating scanning document when scanning next time.
Step S190, removes the to be scanned file corresponding with the attribute information extracted from the file to be scanned obtained.
In the present embodiment, the file to be scanned got is that user selects to determine, but, in the file scan process of reality, because last time scanning has determined this file to be scanned, normal condition is in for the file to be scanned do not changed, therefore do not need to carry out wooden horse scanning to it again, namely, any change is there is not when determining file to be scanned, when not needing again to scan, from the file to be scanned obtained, remove this file to be scanned, to reduce the quantity of file to be scanned, and then reduce unnecessary resource cost.
In another embodiment, as shown in Figure 2, also comprise the steps: before the above-mentioned step that the attribute information of extraction and the attribute information of storage are compared
Step S210, obtains wooden horse scanning result.
In the present embodiment, wooden horse scanning result is obtained after completing wooden horse scanning, the filename corresponding to the file through wooden horse scanning and the information such as status indicator is have recorded in this wooden horse scanning result, namely can know which file identification is normal condition by wooden horse scanning result, which file identification is precarious position.
Step S230, extracts the file being designated normal condition from wooden horse scanning result.
Step S250, obtains the attribute information corresponding to file being designated normal condition one by one, and stores.
In the present embodiment, after getting the attribute information corresponding to each file being designated normal condition, these attribute informations are stored, for the comparison in file scan process.In a preferred embodiment, application cache mechanism provides higher performance for file scan, buffer memory each be designated the attribute information corresponding to file of normal condition, realize data query speed and take the less file scan performance of resource comparatively rapidly.
In another embodiment, in above-mentioned wooden horse scan method, attribute information is property value, the attribute information that this property value unique identification is corresponding, above-mentionedly also to be comprised with before the step that the attribute information of storage is compared by the attribute information of extraction: calculate property value corresponding to file to be scanned to the attribute information extracted, the attribute information calculating the file obtained obtains the property value corresponding to file obtained.
In the present embodiment, attribute information storage may take more storage space, for avoiding the quantity of information of storage excessive, reducing the space taken, being encrypted calculating property value to attribute information.Judge whether corresponding attribute information there occurs change by judging whether property value changes, this property value can be any one in MD5 value, crc value (Cyclical Redundancy Check, cyclic redundancy check (CRC)) and HASH value (cryptographic hash).
In another embodiment, as shown in Figure 3, above-mentioned wooden horse scan method comprises the steps:
Step S301, obtains file to be scanned.
Step S302, obtains the attribute information of file to be scanned one by one from the file to be scanned obtained.
Step S303, calculates property value corresponding to file to be scanned to the attribute information extracted.
Step S304, extracts the file path name of file to be scanned, and calculates informative abstract value corresponding to file to be scanned to file path name from the attribute information extracted.
In the present embodiment, for accelerating comparison speed, can search the attribute information stored according to the file path name of file to be scanned.Because attribute information is property value, accordingly, also should be encrypted to file path name the informative abstract value calculating correspondence, property value is corresponding with informative abstract value, such as, if property value is HASH value, then informative abstract value is also the form of HASH value.
Such as, if the file path of a certain file to be scanned be called C: Windows System32 kernel32.dll, after being encrypted calculating to C: Windows System32 kernel32.dll, obtain a string character, this string character is corresponding informative abstract value.
Step S305, inquires about the informative abstract value stored, and the informative abstract value of inquiring about the informative abstract value that obtains corresponding with file to be scanned is identical.
In the present embodiment, inquire about in the multiple informative abstract values stored, to obtain being worth identical some informative abstract values with the informative abstract of file to be scanned from the multiple informative abstract values stored.In query script, for getting relevant property value, with informative abstract value for index is searched from the mass data stored.Informative abstract value is encrypted file path name and calculates, and is the unique identification of file path name, and because a file path may also exist multiple file under one's name, namely a certain informative abstract value may be corresponding with the property value of multiple file.
Step S306, obtains the property value that the informative abstract value obtained with inquiry exists the storage of corresponding relation from the corresponding relation stored.
In the present embodiment, due to the property value of the informative abstract value and correspondence that have prestored file, and establish the corresponding relation between informative abstract value and property value, therefore, the property value of this file can be found by informative abstract value.
Inquire after the informative abstract corresponding with file to be scanned be worth identical a certain informative abstract value from the informative abstract value stored, one or more property value stored can be obtained according to the corresponding relation stored.
Step S307, judges that whether the property value that file to be scanned is corresponding is identical with the property value of storage, if not, then enters step S308, if so, then enter step S309.
In the present embodiment, judge whether the property value that file to be scanned is corresponding changes, when determining property value corresponding to file to be scanned and being identical with the property value of storage, illustrate that the property value that file to be scanned is corresponding does not change, and then can know that any change does not all occur for attribute information and file to be scanned, therefore can confirm that this file to be scanned is the secure file being designated normal condition, do not need again to scan this file to be scanned, when determining property value corresponding to file to be scanned and being not identical with the property value of storage, illustrate that the property value that file to be scanned is corresponding there occurs change, there is the possibility that file to be scanned be have modified by trojan horse program, therefore should scan this file to be scanned.
Step S308, scans the to be scanned file corresponding with the property value extracted.
Step S309, removes file to be scanned from the file to be scanned obtained.
Step S310, obtains wooden horse scanning result.
Step S311, extracts the file being designated normal condition from wooden horse scanning result.
In the present embodiment, after the scan is complete, from the wooden horse scanning result that scanning obtains, extract the file being designated normal condition, this file being designated normal condition is safe file.
Step S312, obtains the attribute information corresponding to file being designated normal condition one by one.
Step S313, the attribute information calculating the file obtained obtains the property value corresponding to file obtained.
Step S314, extraction document pathname from the attribute information of the file obtained, and file path name is calculated to the informative abstract value corresponding to file of acquisition.
In the present embodiment, from the attribute information of the file obtained, extract the file path name of this file, and then the file path name of this file is encrypted calculates informative abstract value.
Step S315, the corresponding relation between the property value corresponding to the file setting up informative abstract value and acquisition for index with the informative abstract value corresponding to the file obtained, and store this corresponding relation.
In the present embodiment, be the inquiry velocity accelerated in processing procedure, property value with informative abstract value for index stores.Because a file path may also exist multiple file under one's name, in the corresponding relation therefore between the property value corresponding to the file of informative abstract value and acquisition, informative abstract value may be corresponding multiple property value.
Fig. 4 shows the wooden horse scanning system in an embodiment, comprises file enumeration module 102, data obtaining module 104, comparing module 106, scan module 108 and file and removes module 110.
File enumeration module 102, for obtaining file to be scanned.
In the present embodiment, after the scanning engine opening checking and killing virus software or wooden horse killing software, file enumeration module 102 obtains the file needing to carry out scanning in the operation of the sweep limit of killing interface select File according to user, these files are as file to be scanned.File enumeration module 102 is in the process obtaining file to be scanned, be easy in the process run for making file scan safeguard, according to the sweep limit of user's select File operation by multiple file to be scanned according to the queue length of setting carry out enumerating form length-specific enumerate queue, with etc. to be scanned.
Data obtaining module 104, for extracting the attribute information of file to be scanned one by one from the file to be scanned obtained.
In the present embodiment, data obtaining module 104 extracts the attribute information of each file to be scanned in the file to be scanned got, and each attribute information corresponding to file to be scanned is all different.Particularly, attribute information includes the information such as file path name, file generated time, filemodetime, file size and document identification number.Can find out whether file to be scanned has been implemented retouching operation by attribute information.
In the application process of reality, the information comprised in attribute information may be diversified, such as, for reducing data volume, attribute information can only comprise the file generated time, filemodetime and file size, also can know whether corresponding file to be scanned has been implemented retouching operation by this attribute information, but, this attribute information may be higher by the probability that trojan horse program utilizes, because trojan horse program is after have modified file, file generated time and filemodetime are revised as original file generated time and filemodetime, cause the illusion that file is not modified, and the attribute information containing document identification number is owing to being that operating system carries out distributing, implementation modification operation comparatively difficulty, therefore, in a preferred embodiment, attribute information includes file path name, file generated time, filemodetime, file size and document identification number, the possibility that the attribute information containing document identification number is revised by trojan horse program is lower, and file path name is conducive to optimizing follow-up processing procedure.
Comparing module 106, for the attribute information of extraction and the attribute information of storage being compared, judge that whether the attribute information extracted is identical with the attribute information of storage, if not, then notify scan module 108, if so, then circular document removes module 110.
In the present embodiment, owing to having prestored multiple attribute information, file corresponding to this attribute information is that all have passed through scans the file that confirmation is designated normal condition, whether the attribute information of the file to be scanned extracted and the attribute information prestored are carried out comparison one by one by comparing module 106, identical with a certain attribute information stored to judge the attribute information of file to be scanned; When the attribute information that comparing module 106 determines the file to be scanned of extraction is identical with a certain attribute information of storage, illustrate that file to be scanned did not carry out any amendment from last time scanning, therefore can determine that now this file to be scanned is safe, does not need again to scan; When the attribute information that comparing module 106 determines the file to be scanned of extraction is all not identical with all properties information of storage, illustrate that this file to be scanned there occurs change, may be revised by trojan horse program, therefore, need to scan this file to be scanned, to judge the security of this file to be scanned.
In addition, if above-mentioned file scan process is for scan first, or the file to be scanned obtained scans first, then there is not the attribute information prestored corresponding with it, now, should notify that scan module 108 directly carries out wooden horse scanning to this file to be scanned, and store the attribute information corresponding to file being designated normal condition in the wooden horse scanning result obtained.
Scan module 108, for the file to be scanned that the attribute information scanned with extract is corresponding.
In the present embodiment, scan module 108 trigger sweep engine scans the file to be scanned that attribute information there occurs change, judge whether there is trojan horse program in this file according to the scanning result obtained, if know that this file is designated normal condition according to scanning result, it is safe file, then the attribute information of correspondence is stored, for the comparison treating scanning document when scanning next time.
File removes module 110, for removing file to be scanned from the file to be scanned obtained.
In the present embodiment, the file to be scanned got is that user selects to determine, but, in the file scan process of reality, because last time scanning has determined this file to be scanned, normal condition is in for the file to be scanned do not changed, therefore do not need to carry out wooden horse scanning to it again, namely, any change is there is not when determining file to be scanned, when not needing again to scan, file removes module 110 and removes this file to be scanned from enumerating queue, to reduce the quantity of file to be scanned, and then reduces unnecessary resource cost.
In another embodiment, as shown in Figure 5, above-mentioned wooden horse scanning system further comprises result acquisition module 112 and extraction module 114.
Result acquisition module 112, for obtaining wooden horse scanning result.
In the present embodiment, wooden horse scanning result is obtained after completing wooden horse scanning, the filename corresponding to the file through wooden horse scanning and the information such as status indicator is have recorded in this wooden horse scanning result, namely can know which file identification is normal condition by wooden horse scanning result, which file identification is precarious position.
Extraction module 114, for extracting the file being designated normal condition from wooden horse scanning result.
Data obtaining module 104 also for obtaining the attribute information corresponding to the file being designated normal condition one by one, and stores.
In the present embodiment, after getting the attribute information corresponding to each file being designated normal condition, these attribute informations store by data obtaining module 104, for the comparison in file scan process.In a preferred embodiment, application cache mechanism provides higher performance for file scan, data obtaining module 104 buffer memory each be designated the attribute information corresponding to file of normal condition, realize data query speed and take the less file scan performance of resource comparatively rapidly.
In another embodiment, attribute information is property value, the attribute information that this property value unique identification is corresponding, and as shown in Figure 6, above-mentioned wooden horse scanning system further comprises property value computing module 116.
Property value computing module 116, for calculating property value corresponding to file to be scanned to the attribute information extracted, and the attribute information calculating the file obtained obtains the property value corresponding to file of acquisition.
In the present embodiment, attribute information storage may take more storage space, and for avoiding the quantity of information of storage excessive, reduce the space taken, property value computing module 116 pairs of attribute informations are encrypted and calculate property value.Judge whether corresponding attribute information there occurs change by judging whether property value changes, this property value can be any one in MD5 value, crc value and HASH value.
In another embodiment, as shown in Figure 7, further comprises digest value computing module 118 in above-mentioned wooden horse scanning system and relation sets up module 120.
Digest value computing module 118, for extracting the file path name of file to be scanned from the attribute information extracted, and the file path name treating scanning document carries out calculating informative abstract value corresponding to file to be scanned.
In the present embodiment, for accelerating comparison speed, digest value computing module 118 can be searched the attribute information stored according to the file path name of file to be scanned.Because attribute information is property value, accordingly, also should be encrypted to file path name the informative abstract value calculating correspondence, property value is corresponding with informative abstract value, such as, if property value is HASH value, then informative abstract value is also the form of HASH value.
Digest value computing module 118 also for extraction document pathname in the attribute information from the file obtained, and calculates the informative abstract value corresponding to file of acquisition to file path name.
In the present embodiment, digest value computing module 118 extracts the file path name of this file from the attribute information of the file obtained, and then is encrypted the file path name of this file and calculates informative abstract value.
Relation sets up module 120, for set up informative abstract value and acquisition with the informative abstract value corresponding to the file obtained for index file corresponding to property value between corresponding relation, and store corresponding relation.
In the present embodiment, be the inquiry velocity accelerated in processing procedure, property value with informative abstract value for index stores.Because a file path may also exist multiple file under one's name, in the corresponding relation therefore between the property value corresponding to the file of informative abstract value and acquisition, informative abstract value may be corresponding multiple property value.
In one particularly embodiment, as shown in Figure 8, comparing module 106 comprises query unit 1062, property value query unit 1064 and judging unit 1068.
Query unit 1062, for inquiring about the informative abstract value stored, the informative abstract value of inquiring about the informative abstract value that obtains corresponding with file to be scanned is identical.
In the present embodiment, query unit 1062 is inquired about in the multiple informative abstract values stored, to obtain being worth identical some informative abstract values with the informative abstract of file to be scanned from the multiple informative abstract values stored.In query script, for getting relevant property value, with informative abstract value for index is searched from the mass data stored.Informative abstract value is encrypted file path name and calculates, and is the unique identification of file path name, and because a file path may also exist multiple file under one's name, namely a certain informative abstract value may be corresponding with the property value of multiple file.
Property value query unit 1064, for obtaining the property value that there is the storage of corresponding relation with the informative abstract value inquired from the corresponding relation stored.
In the present embodiment, due to the property value of the informative abstract value and correspondence that have prestored file, and the corresponding relation established between informative abstract value and property value, therefore, property value query unit 1064 can find the property value of this file by informative abstract value.
Inquire after the informative abstract corresponding with file to be scanned be worth identical a certain informative abstract value from the informative abstract value stored, property value query unit 1064 can obtain one or more property value stored according to the corresponding relation stored.
Judging unit 1066, whether identical with the property value of storage for judging the property value that file to be scanned is corresponding, if not, then notify scan module 108, if so, then circular document removes module 110.
In the present embodiment, judging unit 350 judges whether the property value that file to be scanned is corresponding changes, when determining property value corresponding to file to be scanned and being identical with the property value of storage, illustrate that the property value that file to be scanned is corresponding does not change, and then can know that any change does not all occur for attribute information and file to be scanned, therefore can confirm that this file to be scanned is the secure file being designated normal condition, do not need again to scan this file to be scanned, when determining property value corresponding to file to be scanned and being not identical with the property value of storage, illustrate that the property value that file to be scanned is corresponding there occurs change, there is the possibility that file to be scanned be have modified by trojan horse program, therefore should scan this file to be scanned.
In above-mentioned wooden horse scan method and system, when the attribute information of file to be scanned is not identical with the attribute information prestored, safety scanning is carried out to this file to be scanned, to judge whether this file to be scanned is designated normal condition, not identical with the attribute information prestored to attribute information file to be scanned carries out safety scanning, the probability be not modified due to the file to be scanned that attribute information is identical with the attribute information prestored is very large, therefore, the file to be scanned carrying out safety scanning greatly reduces, reduce resource cost neatly, and also ensure that the security of file, promote file scan speed.
In above-mentioned wooden horse scan method and system, attribute information is the property value calculated according to attribute information, and compared with the attribute information containing much information, property value is a string character, can avoid storing the excessive problem of data to occur in the process stored, reduce the resource taken.
In above-mentioned wooden horse scan method and system, for the file being designated normal condition in wooden horse scanning result, carry out calculating corresponding informative abstract value according to the file path name in attribute information, and with informative abstract value for corresponding relation between informative abstract value and property value set up in index, effectively can improve the inquiry to the property value stored, comparison speed, and then improve file scan speed.
The above embodiment only have expressed several embodiment of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection domain of patent of the present invention should be as the criterion with claims.

Claims (10)

1. a wooden horse scan method, comprises the steps:
Obtain file to be scanned;
The attribute information of file to be scanned is extracted one by one from the file to be scanned obtained; The attribute information extracted comprises: the document identification number that file path name, file generated time, filemodetime, file size and operating system are distributed;
Property value corresponding to file to be scanned is calculated to the attribute information extracted;
From the attribute information extracted, extract the file path name of file to be scanned, and informative abstract value corresponding to file to be scanned is calculated to file path name;
Inquire about the informative abstract value stored, the informative abstract value of inquiring about the informative abstract value that obtains corresponding with file to be scanned is identical;
The property value that the informative abstract value obtained with inquiry exists the storage of corresponding relation is obtained from the corresponding relation between the informative abstract value stored and property value;
Judge that whether the property value that file to be scanned is corresponding is identical with the property value of storage; If so, then from the file to be scanned of described acquisition, the to be scanned file corresponding with the property value extracted is removed; If not, then the file to be scanned that scanning is corresponding with the property value of described extraction;
The property value of described storage is the property value corresponding to file being designated normal condition in last wooden horse scanning result.
2. wooden horse scan method according to claim 1, is characterized in that, also comprises before the step whether described property value judging that file to be scanned is corresponding is identical with the property value of storage:
Obtain wooden horse scanning result;
The file being designated normal condition is extracted from described wooden horse scanning result;
Be designated the attribute information corresponding to file of normal condition described in obtaining one by one, and store.
3. wooden horse scan method according to claim 2, is characterized in that, the step of described storage is:
Buffer memory each be designated the attribute information corresponding to file of normal condition.
4. wooden horse scan method according to claim 2, is characterized in that, the described attribute information to extracting also comprises after calculating the step of property value corresponding to file to be scanned:
The attribute information calculating the file extracted obtains the property value corresponding to file extracted.
5. wooden horse scan method according to claim 4, is characterized in that, the described attribute information calculating the file extracted also comprises after obtaining the step of the property value corresponding to file extracted:
Extraction document pathname from the attribute information of the file of described extraction, and the informative abstract value corresponding to file described file path name being calculated to described extraction;
Corresponding relation between property value corresponding to the file setting up described informative abstract value and described extraction for index with the informative abstract value corresponding to the file of described extraction, and store described corresponding relation.
6. a wooden horse scanning system, is characterized in that, comprising: file enumeration module, data obtaining module, property value computing module, digest value computing module, comparing module, file remove module and scan module;
Described file enumeration module, for obtaining file to be scanned;
Described data obtaining module, for extracting the attribute information of file to be scanned one by one from the file to be scanned obtained; The attribute information extracted comprises: the document identification number that file path name, file generated time, filemodetime, file size and operating system are distributed;
Described property value computing module, the attribute information for extracting carries out calculating property value corresponding to file to be scanned;
Described digest value computing module, for extracting the file path name of file to be scanned from the attribute information extracted, and calculates informative abstract value corresponding to file to be scanned to file path name;
Described comparing module comprises:
Query unit, for inquiring about the informative abstract value stored, the informative abstract value of inquiring about the informative abstract value that obtains corresponding with file to be scanned is identical;
, there is the property value of the storage of corresponding relation for obtaining the informative abstract value obtained with inquiry from the corresponding relation between the informative abstract value stored and property value in property value comparing unit;
Judging unit, whether identical with the property value of storage for judging the property value that file to be scanned is corresponding, if not, then notify described scan module, if so, then notify that described file removes module
Described file removes module, for when determining property value corresponding to file to be scanned and being identical with the property value of storage, from the file to be scanned of described acquisition, removes the to be scanned file corresponding with the attribute information of described extraction;
Described scan module is for scanning the to be scanned file corresponding with the property value of described extraction;
The property value of described storage is the property value corresponding to file being designated normal condition in last wooden horse scanning result.
7. wooden horse scanning system according to claim 6, is characterized in that, also comprise:
Result acquisition module, for obtaining wooden horse scanning result;
Extraction module, for extracting the file being designated normal condition from wooden horse scanning result;
Described data obtaining module also for be designated normal condition described in obtaining one by one file corresponding to attribute information, and to store.
8. wooden horse scanning system according to claim 7, is characterized in that, also for buffer memory, each is designated the attribute information corresponding to the file of normal condition to described data obtaining module.
9. wooden horse scanning system according to claim 7, is characterized in that, described property value computing module also obtains the property value corresponding to file extracted for the attribute information of the file calculating extraction.
10. wooden horse scanning system according to claim 9, it is characterized in that, described digest value computing module also for extraction document pathname in the attribute information of the file from described extraction, and calculates the informative abstract value corresponding to file of described extraction to described file path name;
Described system also comprises:
Relation sets up module, for set up described informative abstract value and described extraction with the informative abstract value corresponding to the file of described extraction for index file corresponding to property value between corresponding relation, and store described corresponding relation.
CN201110283980.7A 2011-09-22 2011-09-22 Wooden horse scan method and system Active CN103020521B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110283980.7A CN103020521B (en) 2011-09-22 2011-09-22 Wooden horse scan method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110283980.7A CN103020521B (en) 2011-09-22 2011-09-22 Wooden horse scan method and system

Publications (2)

Publication Number Publication Date
CN103020521A CN103020521A (en) 2013-04-03
CN103020521B true CN103020521B (en) 2015-10-21

Family

ID=47969117

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110283980.7A Active CN103020521B (en) 2011-09-22 2011-09-22 Wooden horse scan method and system

Country Status (1)

Country Link
CN (1) CN103020521B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104217159A (en) * 2013-05-31 2014-12-17 马子熙 Mutual-help mobile terminal anti-virus method and system independent of searching and killing engine
CN103473501B (en) * 2013-08-22 2016-05-25 北京奇虎科技有限公司 A kind of Malware method for tracing based on cloud security
CN105791233B (en) * 2014-12-24 2019-02-26 华为技术有限公司 A kind of anti-virus scan method and device
CN105389509A (en) * 2015-11-16 2016-03-09 北京奇虎科技有限公司 Document scanning method and apparatus
CN105468966B (en) * 2015-11-16 2019-07-23 北京奇虎科技有限公司 enterprise-level terminal file scanning method and device
CN106909845A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 A kind of method and apparatus of program object scanning
CN107679080A (en) * 2017-08-29 2018-02-09 努比亚技术有限公司 A kind of multimedia data recording method, terminal and computer-readable recording medium
WO2021035429A1 (en) * 2019-08-23 2021-03-04 Siemens Aktiengesellschaft Method and system for security management on a mobile storage device
CN111427847B (en) * 2020-04-03 2023-04-11 中山大学 Indexing and querying method and system for user-defined metadata
CN113328523A (en) * 2021-05-31 2021-08-31 广东电网有限责任公司 Power switch management method, device, equipment and storage medium
CN113328521A (en) * 2021-05-31 2021-08-31 广东电网有限责任公司 Edge processing method, device and equipment for power switch state and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964357A (en) * 2006-12-04 2007-05-16 北京金山软件有限公司 A method to process file and information processing device
CN101166190A (en) * 2007-09-20 2008-04-23 腾讯科技(深圳)有限公司 Video/audio file multi-source download method and device
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
CN101639880A (en) * 2008-07-31 2010-02-03 华为技术有限公司 File test method and device
CN101795267A (en) * 2009-12-30 2010-08-04 成都市华为赛门铁克科技有限公司 Method and device for detecting viruses and gateway equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964357A (en) * 2006-12-04 2007-05-16 北京金山软件有限公司 A method to process file and information processing device
CN101166190A (en) * 2007-09-20 2008-04-23 腾讯科技(深圳)有限公司 Video/audio file multi-source download method and device
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
CN101639880A (en) * 2008-07-31 2010-02-03 华为技术有限公司 File test method and device
CN101795267A (en) * 2009-12-30 2010-08-04 成都市华为赛门铁克科技有限公司 Method and device for detecting viruses and gateway equipment

Also Published As

Publication number Publication date
CN103020521A (en) 2013-04-03

Similar Documents

Publication Publication Date Title
CN103020521B (en) Wooden horse scan method and system
US9715588B2 (en) Method of detecting a malware based on a white list
CN102819713B (en) A kind of method and system detecting bullet window safe
KR101162051B1 (en) Using string comparison malicious code detection and classification system and method
RU2551820C2 (en) Method and apparatus for detecting viruses in file system
RU2536664C2 (en) System and method for automatic modification of antivirus database
CN102915421B (en) Method and system for scanning files
US10789366B2 (en) Security information management system and security information management method
US10521423B2 (en) Apparatus and methods for scanning data in a cloud storage service
US9355250B2 (en) Method and system for rapidly scanning files
CN101923617A (en) Cloud-based sample database dynamic maintaining method
CN107688488B (en) Metadata-based task scheduling optimization method and device
CN104598815A (en) Identification method and device of malicious advertisement program and client side
CN102208002B (en) Novel computer virus scanning and killing device
CN110071924B (en) Big data analysis method and system based on terminal
CN110659484B (en) System and method for generating a request for file information to perform an anti-virus scan
CN110084064B (en) Big data analysis processing method and system based on terminal
CN103207970A (en) Virus file scanning method and device
CN103716394A (en) Downloaded file management method and device
CN103488947A (en) Method and device for identifying instant messaging client-side account number stealing Trojan horse program
CN116226865A (en) Security detection method, device, server, medium and product of cloud native application
US8938807B1 (en) Malware removal without virus pattern
CN105468972B (en) A kind of mobile terminal document detection method
CN109413048B (en) Method for detecting luxo software based on file-type honeypot, electronic device and program product
CA2774802A1 (en) Windows kernel alteration searching method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant