CN103136477B

CN103136477B - The scan method of paper sample and system

Info

Publication number: CN103136477B
Application number: CN201310071272.6A
Authority: CN
Inventors: 冯鑫; 李振博
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2013-03-06
Filing date: 2013-03-06
Publication date: 2015-09-02
Anticipated expiration: 2033-03-06
Also published as: CN103136477A

Abstract

The invention discloses a kind of scan method and system of paper sample, described method comprises: for the grey paper sample in paper sample, chooses grey paper sample to be scanned according to the strategy preset from the grey paper sample stored; The assessor for scanning grey paper sample is chosen according to the more new record of each assessor and/or the scanning record of assessor; Using selected assessor to scan grey paper sample to be scanned, and memory scanning result, with when receiving the request of inquiry file sample whether safety, returning scanning result; Described grey paper sample is the paper sample of security the unknown.The present invention can save the resource of carrying out the equipment scanned, and accelerates scan efficiency, provides sweep velocity.

Description

The scan method of paper sample and system

Technical field

The present invention relates to computer network security field, be specifically related to a kind of scan method and system of paper sample.

Background technology

In network safety filed, usually need the killing carrying out virus document.Virus document is a recapitulative term, refers to that any intentional establishment is used for performing without permission and the application file of normally harmful act.Such as, comprising: computer virus, backdoor programs, Key Logger, password steal taker, Word and excel macro virus, leading viruses, script virus, wooden horse etc.

In prior art, the method that virus document killing adopts depends on feature database pattern.The condition code of the virus document sample that feature database is collected by manufacturer forms, condition code is then that analysis project is an apprentice of in virus document and is found and the difference of proper file, intercept the document code that a section is similar to " keyword ", this document code is condition code.In killing process, engine meeting file reading, mates with all condition codes in feature database, if find that document code is hit, just can judge that this file is as virus document.

But along with the growth of virus document quantity, current virus document quantity is that geometry level increases, and based on the speedup of this explosion type, the generation of feature database is often delayed with renewal, and the killing engine that many times terminal is independent killing cannot go out unknown virus document.

Therefore, active defense method is created in prior art.In the method for Initiative Defense; independently judgement is analyzed based on file behavior; carry out real-time killing; not using condition code as the foundation judging virus document; but from the original definition of file; directly using file behavior as the foundation judging virus document, the mode wherein derive and to use feature database in this locality, arranging behavior asset pricing and the heuristic virus killing in this locality in this locality differentiates, tackles the behavior of virus document, thus reaches the object protecting terminal to a certain extent.

But also there is the problem needing to solve in above-mentioned local active defense method.First, local Initiative Defense easily causes free to kill to virus document, and such as, the feature database namely can avoiding local Initiative Defense by adding shell to virus document is prevented killing pattern; By for virus behavior, reduce or replace the corelation behaviour that virus document performs, thus avoid triggering the startup upper limit that behavior asset pricing prevents the pattern of killing.In addition, local Initiative Defense also needs to depend on upgrading in time of local data base, if database update not in time, then causes virus document undiscovered.

Based on the problems referred to above, also there is in prior art the active defense method based on cloud security, do not rely on local data base, and the analyses and comparison of Initiative Defense operation is placed on server side and completes.

But for the active defense method of cloud security, what be usually directed to treats that the paper sample of killing reaches more than one hundred million level.Feature database can be set by special analyst to the assessor that paper sample carries out killing because each, the situation that the paper sample of killing may be failed to report or report by mistake, feature database is in continuous upgrading, therefore failing to report before multiple scanning can make up is carried out to paper sample, the wrong report before reparation.When scanning at every turn, if All Files sample is all scanned one time, then the ample resources of server side can be expended.

Summary of the invention

In view of the above problems, the present invention proposes scan method and the system of paper sample, when carrying out file scan to overcome, the problem that consumes resources is too much.

According to an aspect of the present invention, provide a kind of scan method of paper sample, described method comprises:

For the grey paper sample in paper sample, from the grey paper sample stored, choose grey paper sample to be scanned according to the strategy preset;

The assessor for scanning grey paper sample is chosen according to the more new record of each assessor and/or the scanning record of assessor;

Using selected assessor to scan grey paper sample to be scanned, and memory scanning result, with when receiving the request of inquiry file sample whether safety, returning scanning result;

Described grey paper sample is the paper sample of security the unknown.

Wherein, the strategy that described basis is preset is chosen grey paper sample to be scanned and is specifically comprised from the grey paper sample stored:

Obtain the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, from the grey paper sample stored, choose grey paper sample to be scanned according to rate of failing to report.

Wherein, described method also comprises:

For the dangerous paper sample in paper sample, determine that reported hazard paper sample is the assessor of virus document, described dangerous paper sample is the paper sample that identified device is reported as virus document;

The dangerous paper sample of operation report is that the assessor of virus document rescans dangerous paper sample, if scanning result is this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake as virus document, go wrong report to operate to this dangerous paper sample.

Wherein, describedly determine that reported hazard paper sample is also comprise after the assessor of virus document:

Draw the rate of false alarm of dangerous paper sample according to the assessor determined, set up the corresponding relation of assessor quantity and rate of false alarm;

From the dangerous paper sample stored, dangerous paper sample to be scanned is chosen according to rate of false alarm;

The dangerous paper sample of described operation report is that the assessor of virus document rescans dangerous paper sample and specifically comprises:

For each dangerous paper sample to be scanned, this dangerous paper sample of operation report is that the assessor of virus document rescans this dangerous paper sample.

Wherein, described method also comprises:

When receiving the request of inquiry file sample whether safety, in daily record, record the request received;

According to the record in daily record, be extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, the paper sample of extraction is for enlivening paper sample.

Wherein, the rate of failing to report that the described attribute according to grey paper sample obtains ash discharge paper sample specifically comprises:

Extracting grey paper sample from enlivening paper sample, drawing the rate of failing to report of this grey paper sample according to the attribute of the grey paper sample extracted;

Describedly choose grey paper sample to be scanned according to rate of failing to report and specifically comprise from the grey paper sample stored:

From the grey paper sample extracted, choose the grey paper sample that rate of failing to report is greater than default rate of failing to report threshold values, be grey paper sample to be scanned with the grey paper sample chosen.

Wherein, describedly determine that reported hazard paper sample is that the assessor of virus document specifically comprises:

Extracting dangerous paper sample from enlivening paper sample, determining to report that the dangerous paper sample extracted is the assessor of virus document;

Describedly choose dangerous paper sample to be scanned according to rate of false alarm and specifically comprise from the dangerous paper sample stored:

From the dangerous paper sample extracted, choose the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values, be dangerous paper sample to be scanned with the dangerous paper sample chosen.

The statistics drawn according to adding up the feature of virus document, and the attribute of grey paper sample, calculating this grey paper sample may be the probability of virus document, the parameter using this probability as the rate of failing to report of this grey paper sample of calculating.

Wherein, the statistics that the feature of described basis to virus document is added up and drawn, and the attribute of grey paper sample, calculating this grey paper sample specifically may comprise for the probability of virus document:

The statistics drawn according to adding up the size of virus document, and the size of grey paper sample, calculating this grey paper sample may be the probability of virus document;

And/or,

The statistics drawn according to adding up the path of virus document, and the path of grey paper sample, calculating this grey paper sample may be the probability of virus document;

And/or,

The risky operation behavior list drawn according to adding up the operation behavior of virus document, and the operation behavior of grey paper sample, calculating this grey paper sample may be the probability of virus document.

Wherein, the described assessor chosen for scanning grey paper sample according to the scanning record of each assessor specifically comprises:

For each assessor, each grey paper sample to be scanned, scan the number of times of this grey paper sample according to this assessor, calculate the sweep spacing that this grey paper sample corresponds to this assessor;

The assessor for scanning grey paper sample is chosen according to sweep spacing.

Wherein, the described assessor chosen for scanning grey paper sample according to the more new record of each assessor specifically comprises:

The assessor upgraded was carried out be chosen at last scan from each assessor after according to more new record.

Wherein, also comprise before the described attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample:

Judge that whether the Late Cambrian time of grey paper sample is early than Preset Time threshold values, if so, then detect that the rate of failing to report of this grey paper sample is 0, if not, then carry out the operation that the described attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample.

According to another aspect of the present invention, the invention discloses a kind of scanning system of paper sample, described system comprises: sample storage device, killing engine, scan schedule device and comprise the scan sample device of multiple assessor;

Described sample storage device, is suitable for storage file sample;

Described scan schedule device, be suitable for for the grey paper sample in paper sample, strategy according to presetting chooses grey paper sample to be scanned from the grey paper sample that described sample storage device stores, and chooses the assessor for scanning grey paper sample according to the more new record of each assessor and/or the scanning record of assessor;

Described scan sample device, is suitable for obtaining grey paper sample to be scanned from described sample storage device, the grey paper sample to be scanned that the assessor scanning using described scan schedule device to choose obtains, and scanning result is stored into killing engine;

Described killing engine, is suitable for the scanning result of storing sample file, and when receiving the request of inquiry file sample whether safety, returns scanning result;

Described grey paper sample is the paper sample of security the unknown.

Wherein, described scan schedule device, is specifically suitable for the rate of failing to report obtaining ash discharge paper sample according to the attribute of grey paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample stored.

Wherein, described scan schedule device, is also suitable for for the dangerous paper sample in paper sample, and determine that reported hazard paper sample is the assessor of virus document, described dangerous paper sample is the paper sample that identified device is reported as virus document;

Described scan sample device, also be suitable for obtaining dangerous paper sample from described sample storage device, the assessor using described scan schedule device to determine rescans the dangerous paper sample of acquisition, if scanning result is this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake as virus document, go wrong report to operate to this dangerous paper sample.

Wherein, described scan schedule device, also be suitable for after determining that reported hazard paper sample is the assessor of virus document, the rate of false alarm of dangerous paper sample is drawn according to the assessor determined, set up the corresponding relation of assessor quantity and rate of false alarm, from the dangerous paper sample that described sample storage device stores, choose dangerous paper sample to be scanned according to rate of false alarm;

Described scan sample device, is specifically suitable for for each dangerous paper sample to be scanned, and this dangerous paper sample of operation report is that the assessor of virus document rescans this dangerous paper sample.

Wherein, described killing engine, is also suitable for, when receiving the request of inquiry file sample whether safety, recording the request received in daily record;

Described scan schedule device, be also suitable for, according to the record in daily record, being extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, the paper sample of extraction is for enlivening paper sample.

Wherein, described scan schedule device, specifically be suitable for extracting grey paper sample from enlivening paper sample, the rate of failing to report of this grey paper sample is drawn according to the attribute of the grey paper sample extracted, from the grey paper sample extracted, choosing the grey paper sample that rate of failing to report is greater than default rate of failing to report threshold values according to drawn rate of failing to report, is grey paper sample to be scanned with the grey paper sample chosen.

Wherein, described scan schedule device, specifically be suitable for extracting dangerous paper sample from enlivening paper sample, determine to report that the dangerous paper sample extracted is the assessor of virus document, the rate of false alarm of the dangerous paper sample of extraction is drawn according to the assessor determined, from the dangerous paper sample extracted, choosing the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values according to rate of false alarm, is dangerous paper sample to be scanned with the dangerous paper sample chosen.

Wherein, described scan schedule device, is specifically suitable for the statistics drawn according to adding up the feature of virus document, and the attribute of grey paper sample, calculating this grey paper sample may be the probability of virus document, with this probability for calculating the parameter of the rate of failing to report of this grey paper sample.

Wherein, described scan schedule device, is specifically suitable for the statistics drawn according to adding up the size of virus document, and the size of grey paper sample, and calculating this grey paper sample may be the probability of virus document;

And/or,

Wherein, described scan schedule device, specifically be suitable for for each assessor, each grey paper sample to be scanned, the number of times of this grey paper sample is scanned according to this assessor, calculating the sweep spacing that this grey paper sample corresponds to this assessor, choosing the assessor for scanning grey paper sample according to sweep spacing.

Wherein, described scan schedule device, is specifically suitable for carrying out according to more new record the assessor that upgrades be chosen at last scan from each assessor after.

Wherein, described scan schedule device, also be suitable for before the rate of failing to report obtaining ash discharge paper sample according to the attribute of grey paper sample, judge that whether the Late Cambrian time of grey paper sample is early than Preset Time threshold values, if, then detect that the rate of failing to report of this grey paper sample is 0, if not, then carry out the operation that the described attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample.

The technical scheme that paper sample according to the present invention scans, when scanning the grey paper sample in paper sample, chooses grey paper sample to be scanned according to the strategy preset from the grey paper sample stored; The assessor for scanning grey paper sample is chosen according to the more new record of each assessor and/or the scanning record of assessor; Using selected assessor to scan grey paper sample to be scanned, and memory scanning result, with when receiving the request of inquiry file sample whether safety, returning scanning result.

Because, when carrying out the scanning of grey paper sample, according to the strategy preset, grey paper sample is chosen, and according to the more new record of assessor and/or the scanning record of assessor, assessor is chosen, so while can ensureing to make up and failing to report, decrease the workload of scanning, solve thus and need paper sample all to scan when scanning, cause the problem that consumption of natural resource amount is large, achieve the resource of saving and carrying out the equipment scanned, accelerate scan efficiency, the beneficial effect of sweep velocity is provided.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.

Accompanying drawing explanation

By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:

Fig. 1 shows the structural drawing of the scanning system of paper sample according to an embodiment of the invention;

Fig. 2 shows the process flow diagram of the scan method of paper sample according to an embodiment of the invention;

Fig. 3 shows the process flow diagram choosing grey paper sample according to an embodiment of the invention according to rate of failing to report;

Fig. 4 shows in the scan method of paper sample according to an embodiment of the invention the process flow diagram that dangerous paper sample scans;

Fig. 5 shows in the scan method of paper sample according to an embodiment of the invention the process flow diagram that grey paper sample scans;

Fig. 6 shows in the scan method of paper sample according to an embodiment of the invention the process flow diagram that dangerous paper sample scans.

Embodiment

Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to more thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.

See Fig. 1, show the scanning system of paper sample according to an embodiment of the invention.System comprises: sample storage device 100, killing engine 200, scan schedule device 300 and comprise the scan sample device 400 of multiple assessor.This system can be that in system, each device is arranged in same physical equipment, also can be that in system, each device is arranged in different physical equipments.

Sample storage device 100, is suitable for storage file sample.

Scan schedule device 300, be suitable for for the grey paper sample in paper sample, strategy according to presetting chooses grey paper sample to be scanned from the grey paper sample that sample storage device 100 stores, and chooses the assessor for scanning grey paper sample according to the more new record of each assessor and/or the scanning record of assessor.Wherein, assessor can for the virus killing application for detecting safety of file sample, such as bitdefender(bit moral of ancient India, from Rumanian one virus killing application), and QVM(Qihoo support vector machine) the virus killing application that provides, and cloud antivirus engine etc.Ash paper sample is the paper sample of security the unknown.

Particularly, scan schedule device 300 obtains the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample stored.

For example, the statistics that scan schedule device 300 draws according to adding up the feature of virus document, and the attribute of grey paper sample, calculating this grey paper sample may be the probability of virus document, with this probability for calculating the parameter of the rate of failing to report of this grey paper sample.

Such as, the size of scan schedule device 300 pairs of virus documents, path and/or behavior are added up, and show that paper sample may be the probability of virus document according to statistics.

The statistics that scan schedule device 300 draws according to adding up the size of virus document, and the size of grey paper sample, calculating this grey paper sample may be the probability of virus document.

Usual virus document is in order to propagate, so virus document is smaller.Virus document is added up, such as, uses hadoop(Distributed Computing Platform) add up, draw file size and a relation curve of the viral rate of report, obtain according to curve the probability that ash discharge paper sample may be virus document.

If only with the probability drawn according to grey paper sample size for calculating the parameter of rate of failing to report, then with this probability for rate of failing to report, the grey paper sample selecting rate of failing to report to be greater than default rate of failing to report threshold values is grey paper sample to be scanned.Such as, rate of failing to report threshold values is 0.001%, and file size is 0.001% in the paper sample report virus rate of more than 10M, then select the grey paper sample being less than 10M to be grey paper sample to be scanned.

The statistics that scan schedule device 300 draws according to adding up the path of virus document, and the path of grey paper sample, calculating this grey paper sample may be the probability of virus document.

Added up by the off-line in the path to virus document, such as use hadoop(Distributed Computing Platform) add up, file path and a relation curve of the viral rate of report can be drawn, obtain according to curve the probability that ash discharge paper sample may be virus document.

If only with the probability drawn according to grey paper sample path for calculating the parameter of rate of failing to report, then with this probability for rate of failing to report, the grey paper sample selecting rate of failing to report to be greater than default rate of failing to report threshold values is grey paper sample to be scanned.

The risky operation behavior list that scan schedule device 300 draws according to adding up the operation behavior of virus document, and the operation behavior of grey paper sample, calculating this grey paper sample may be the probability of virus document.

Can comprise in following operation behavior in risky operation behavior list one or more:

Write registration table loads automatically;

Edit the registry;

Amendment system file;

Revise the application file of specifying;

Inject between executive process;

End process;

Web page contents in amendment browser; And

Record keyboard operation.

According to the risky operation behavior quantity that grey paper sample triggers, calculating this grey paper sample may be the probability of virus document.The risky operation behavior triggered is more, and grey paper sample may be that the probability of virus document is higher.Such as, obtain the quantity that grey paper sample triggers risky operation behavior, by the total amount of this quantity divided by risky operation behavior in risky operation behavior list, obtaining ash discharge paper sample may be the probability of virus document.

If the probability only drawn with the risky operation behavior quantity triggered according to grey paper sample is the parameter calculating rate of failing to report, then with this probability for rate of failing to report, the grey paper sample selecting rate of failing to report to be greater than default rate of failing to report threshold values is grey paper sample to be scanned.

If with the above-mentioned multiple probability drawn for calculating the parameter of rate of failing to report, then weighted value can be arranged by corresponding each parameter, parameter weighted sum be obtained the rate of failing to report of ash discharge paper sample.

Wherein, when selecting assessor, assessor for scanning grey paper sample can be chosen according to the scanning record of each assessor.

Scan schedule device 300 is for each assessor, each grey paper sample to be scanned, the number of times of this grey paper sample is scanned according to this assessor, calculating the sweep spacing that this grey paper sample corresponds to this assessor, choosing the assessor for scanning grey paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.Such as, formula T=(logN) × 1.5+1 is adopted to calculate sweep spacing.N is the number of times that certain assessor scans the scanning of certain grey paper sample, and T is the sweep spacing that this grey paper sample corresponds to this assessor.

Wherein, when selecting assessor, assessor for scanning grey paper sample can be chosen according to the more new record of each assessor.Scan schedule device 300 carried out the assessor upgraded be chosen at last scan from each assessor after according to more new record.

Also passable, choose the assessor for scanning grey paper sample according to the more new record of each assessor and the scanning record of assessor.Such as, carried out the assessor upgraded after being first chosen at last scan, then from the assessor that this is chosen, chose assessor by sweep spacing again.

Scan sample device 400, is suitable for obtaining grey paper sample to be scanned from sample storage device 100, the grey paper sample to be scanned that the assessor scanning using scan schedule device 300 to choose obtains, and scanning result is stored into killing engine 200.

Killing engine 200, is suitable for the scanning result of storing sample file, and when receiving the request of inquiry file sample whether safety, returns scanning result.

The present embodiment is while guarantee makes up and fails to report, decrease the workload of scanning, solve thus and need paper sample all to scan when scanning, cause the problem that consumption of natural resource amount is large, achieve the resource of saving and carrying out the equipment scanned, add fast scan speed, the beneficial effect of scan efficiency is provided.

In a preferred embodiment, scan schedule device 300, also be suitable for before the rate of failing to report obtaining ash discharge paper sample according to the attribute of grey paper sample, judge that whether the Late Cambrian time of grey paper sample is early than Preset Time threshold values, if, then detect that the rate of failing to report of this grey paper sample is 0, if not, then carry out the operation that the above-mentioned attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample.

Because more early, then it is less by the possibility failed to report for the discovery time of grey paper sample.When the Late Cambrian time early than Preset Time threshold values time, then no longer this grey paper sample is scanned, thus, further reduces unnecessary scan operation, saved scanning document sample used resource, improve scan efficiency.

In another embodiment of the present invention, the dangerous paper sample in paper sample is scanned.Dangerous paper sample is the paper sample that identified device is reported as virus document.Use the assessor being reported as virus document to scan this dangerous paper sample for dangerous paper sample, if after scanning, those assessors all determine that this dangerous paper sample is not virus document, then go wrong report to operate to this dangerous paper sample.The concrete technical scheme of the present embodiment is as described below.

Sample storage device 100, is suitable for storage file sample.

Scan schedule device 300, is also suitable for for the dangerous paper sample in paper sample, determines that reported hazard paper sample is the assessor of virus document.

Scan sample device 400, also be suitable for obtaining dangerous paper sample from sample storage device 100, the assessor using scan schedule device 300 to determine rescans the dangerous paper sample of acquisition, if scanning result is this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake, go wrong report to operate to this dangerous paper sample.

Wherein, going wrong report to operate can be the record of virus document for deleting this paper sample, also can for the record of this paper sample is updated to grey paper sample or white paper sample by dangerous paper sample.White paper sample is for determining non-hazardous paper sample.

By the present embodiment, for dangerous paper sample, only use the assessor being reported as virus document to scan this dangerous paper sample, thus, while wrong report is revised in guarantee, can scan operation be reduced, improve scan efficiency.

Further, calculate the rate of false alarm of dangerous paper sample, select the dangerous paper sample carrying out scanning according to rate of false alarm.Further reduce thus by the dangerous paper sample scanned.

Scan schedule device 300, after determining that reported hazard paper sample is the assessor of virus document, draws the rate of false alarm of dangerous paper sample according to the assessor determined, set up the corresponding relation of assessor quantity and rate of false alarm.The quantity of determined assessor is more, and the rate of false alarm of this dangerous paper sample is lower.

Scan schedule device 300 also chooses dangerous paper sample to be scanned according to rate of false alarm from the dangerous paper sample that sample storage device 100 stores.

Such as, for the assessor dangerous paper sample being reported as virus document, can arrange should the accuracy rate of dangerous file to each assessor, accuracy rate is added and value, deduct and be worth the rate of false alarm of dangerous paper sample with 1, choosing the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values is dangerous paper sample to be scanned.

Arrange to should the accuracy rate of dangerous file time, if analyst is set to virus document, then directly arranging accuracy rate is 1.For each assessor, foundation arranges accuracy rate to the degree of belief of this assessor and the scanning times of this assessor to dangerous file, and scanning times more high-accuracy is higher.Such as, higher to the degree of belief of antivirus engine A, then after antivirus engine A sweep number of times is greater than scanning threshold, determine that antivirus engine A is to should the accuracy rate of dangerous file be 1.

Thus, according to rate of false alarm, dangerous paper sample is chosen, further reduce unnecessary scan operation, saved scanning document sample used resource, improve scan efficiency.

Further, being the assessor of virus document for the reported hazard paper sample determined, choosing the assessor for scanning this dangerous paper sample according to the more new record of assessor and/or the scanning record of assessor.

Wherein, dangerous paper sample being defined as in the assessor of virus document, assessor for scanning this dangerous paper sample can being chosen according to the scanning record of each assessor.

Scan schedule device 300 is for each assessor, each dangerous paper sample to be scanned determined, the number of times of this dangerous paper sample is scanned according to this assessor, calculating the sweep spacing that this dangerous paper sample corresponds to this assessor, choosing the assessor for scanning dangerous paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.Such as, formula T=(logN) × 1.5+1 is adopted to calculate sweep spacing.N is the number of times that certain assessor scans the scanning of certain dangerous paper sample, and T is the sweep spacing that this dangerous paper sample corresponds to this assessor.

Wherein, dangerous paper sample being defined as in the assessor of virus document, assessor for scanning dangerous paper sample can being chosen according to the more new record of each assessor.Scan schedule device 300 carried out the assessor upgraded be chosen at last scan from assessor after according to more new record.

Also passable, choose the assessor for scanning dangerous paper sample according to the more new record of each assessor and the scanning record of assessor.Such as, dangerous paper sample is being defined as in the assessor of virus document, was carrying out the assessor upgraded after being first chosen at last scan, and then from the assessor that this is chosen, chose assessor by sweep spacing again.

Thus, according to the more new record of assessor and/or the scanning record of assessor, assessor is chosen, further reduce unnecessary scan operation, saved scanning document sample used resource, improve scan efficiency.

In another embodiment of the present invention, the temperature of the inquiry of statistics file sample, from temperature high enliven selecting file sample paper sample, reduce further the paper sample quantity carrying out scanning, improve scan efficiency.

Killing engine 200, is also suitable for, when the request whether reception inquiry file sample is safe, recording the request received in daily record.

Scan schedule device 300, be also suitable for, according to the record in daily record, being extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, the paper sample of extraction is for enlivening paper sample.Enliven paper sample, for temperature is higher, the frequency be queried is greater than the paper sample of predetermined threshold value.

Thus, when grey paper sample scans, scan schedule device 300 extracts grey paper sample from enlivening paper sample, the rate of failing to report of this grey paper sample is drawn according to the attribute of the grey paper sample extracted, from the grey paper sample extracted, choose the grey paper sample that rate of failing to report is greater than default rate of failing to report threshold values, be grey paper sample to be scanned with the grey paper sample chosen.

When dangerous paper sample scans, scan schedule device 300 extracts dangerous paper sample from enlivening paper sample, determine to report that the dangerous paper sample extracted is the assessor of virus document, the rate of false alarm of the dangerous paper sample of extraction is drawn according to the assessor determined, from the dangerous paper sample extracted, choose the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values, be dangerous paper sample to be scanned with the dangerous paper sample chosen.

Below in conjunction with an instantiation, the scanning of grey paper sample is described.

The scanning system of paper sample comprises: sample storage device 100, killing engine 200, scan schedule device 300 and comprise the scan sample device 400 of multiple assessor.In this instantiation, the MD5(Message Digest Algorithm 5 with paper sample) value is the mark of paper sample.In addition, also can using the character string of 40 byte lengths of md5+sha1 as the unique identification of paper sample, to avoid being only mark with md5, the identification collision caused, namely when the md5 value calculated two different paper samples is identical, the identification collision of these two paper samples.Scan schedule device 300 stores paper sample information bank, wherein store attribute information and other relevant informations of each paper sample, such as, for each paper sample, whether store the size of paper sample, path, operation behavior and paper sample is dangerous paper sample or grey paper sample, when paper sample is dangerous paper sample, report that it is the assessor etc. of virus document.

Sample storage device 100 storage file sample.

The scanning result of killing engine 200 storing sample file, when receiving the request of inquiry file sample whether safety, returns scanning result; And when the request whether reception inquiry file sample is safe, in daily record, record the request received.The request received comprises the MD5 value of paper sample.

Scan schedule device 300, according to the record in daily record, is extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, and the paper sample of extraction is for enlivening paper sample.

Scan schedule device 300 extracts grey paper sample from enlivening paper sample, from paper sample information bank, the attribute of this grey paper sample is obtained according to the MD5 value of this grey paper sample, the rate of failing to report of this grey paper sample is drawn according to the attribute obtained, from the grey paper sample extracted, choose the grey paper sample that drawn rate of failing to report is greater than default rate of failing to report threshold values, the grey paper sample chosen with this is grey paper sample to be scanned.

Scan schedule device 300 chooses the assessor for scanning grey paper sample according to the more new record of each assessor and the scanning record of assessor.

Scan sample device 400 obtains grey paper sample to be scanned from sample storage device 100, the grey paper sample that the assessor scanning using scan schedule device 300 to choose obtains, and scanning result is stored into killing engine 200.

Below in conjunction with an instantiation, the scanning of dangerous paper sample is described.

Sample storage device 100 storage file sample.

The scanning result of killing engine 200 storage file sample, when receiving the request of inquiry file sample whether safety, returns scanning result; And when receiving the request of inquiry file sample whether safety, in daily record, record the request received.The request received comprises the MD5 value of paper sample.

Scan schedule device 300 extracts dangerous paper sample from enlivening paper sample, MD5 value according to this dangerous paper sample reads information in information bank, determine to report that the dangerous paper sample extracted is the assessor of virus document, the rate of false alarm of the dangerous paper sample of extraction is drawn according to the assessor determined, from the dangerous paper sample extracted, choose the dangerous paper sample that drawn rate of false alarm is greater than default rate of false alarm threshold values, the dangerous paper sample chosen with this is dangerous paper sample to be scanned.

Scan schedule device 300 is for each dangerous paper sample to be scanned, being the assessor of virus document from the reported hazard paper sample determined, choosing the assessor for scanning this dangerous paper sample according to the more new record of assessor and/or the scanning record of assessor.

Scan sample device 400 obtains dangerous paper sample to be scanned from sample storage device 100, for each dangerous paper sample to be scanned, the assessor using scan schedule device 300 to determine rescans this dangerous paper sample, if the scanning result of each assessor is all this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake as virus document, go wrong report to operate to this dangerous paper sample.

Above document scanning system of the present invention is illustrated, while this system can ensure to make up and fail to report and revise wrong report, decrease the workload of scanning, solve thus and need paper sample all to scan when scanning, cause the problem that consumption of natural resource amount is large, achieve the resource of saving and carrying out the equipment scanned, accelerate scan efficiency, the beneficial effect of sweep velocity is provided.

See Fig. 2, show the scan method of paper sample according to an embodiment of the invention.

Step S210, for the grey paper sample in paper sample, chooses grey paper sample to be scanned according to the strategy preset from the grey paper sample stored.

Particularly, in step S210, obtain the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, from the grey paper sample stored, choose grey paper sample to be scanned according to rate of failing to report.For example, the statistics drawn according to adding up the feature of virus document, and the attribute of grey paper sample, calculating this grey paper sample may be the probability of virus document, with this probability for calculating the parameter of the rate of failing to report of this grey paper sample.

Such as, the size of virus document, path and/or behavior are added up, show that paper sample may be the probability of virus document according to statistics.

The statistics drawn according to adding up the size of virus document, and the size of grey paper sample, calculating this grey paper sample may be the probability of virus document.

The statistics drawn according to adding up the path of virus document, and the path of grey paper sample, calculating this grey paper sample may be the probability of virus document.

Write registration table loads automatically;

Edit the registry;

Amendment system file;

Revise the application file of specifying;

Inject between executive process;

End process;

Web page contents in amendment browser; And

Record keyboard operation.

Step S220, chooses the assessor for scanning grey paper sample according to the more new record of each assessor and/or the scanning record of assessor.

Wherein, assessor can for the virus killing application for detecting safety of file sample, such as bitdefender(bit moral of ancient India, from Rumanian one virus killing application), and QVM(Qihoo support vector machine) the virus killing application that provides and cloud antivirus engine etc.Ash paper sample is the paper sample of security the unknown.

Particularly, when selecting assessor, assessor for scanning grey paper sample can be chosen according to the scanning record of each assessor.

For each assessor, each grey paper sample to be scanned, scan the number of times of this grey paper sample according to this assessor, calculating the sweep spacing that this grey paper sample corresponds to this assessor, choosing the assessor for scanning grey paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.Such as, formula T=(logN) × 1.5+1 is adopted to calculate sweep spacing.N is the number of times that certain assessor scans the scanning of certain grey paper sample, and T is the sweep spacing that this grey paper sample corresponds to this assessor.

Wherein, when selecting assessor, also can choose assessor for scanning grey paper sample according to the more new record of each assessor.Particularly, the assessor upgraded was carried out be chosen at last scan from each assessor after according to more new record.

Step S230, uses selected assessor to scan grey paper sample to be scanned, and memory scanning result, with when receiving the request of inquiry file sample whether safety, returns scanning result.

In a preferred embodiment, as shown in Figure 3, for choosing the process flow diagram of grey paper sample according to an embodiment of the invention according to rate of failing to report, described step S210 comprises the steps.

Step S2102, extracts grey paper sample.

Step S2104, judges that whether the Late Cambrian time of grey paper sample is early than Preset Time threshold values, if so, then performs step S2106, if not, then performs step S2108.

Step S2106, detects that the rate of failing to report of this grey paper sample is 0, performs step S2110.

Step S2108, obtains the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, perform step S2110.

Step S2110, judges whether grey paper sample has extracted, and if so, performs step S2112, otherwise, perform step S2102.

Step S2112, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample stored.

See Fig. 4, to show in the scan method of paper sample according to an embodiment of the invention the flow process that dangerous paper sample scans, comprise the steps.

Step S410, for the dangerous paper sample in paper sample, determines that reported hazard paper sample is the assessor of virus document.

Step S420, the dangerous paper sample of operation report is the dangerous paper sample that the assessor of virus document rescans acquisition, if scanning result is this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake as virus document, go wrong report to operate to this dangerous paper sample.

Comprise after step S410: the rate of false alarm drawing dangerous paper sample according to the assessor determined, set up the corresponding relation of assessor quantity and rate of false alarm, from the dangerous paper sample stored, choose dangerous paper sample to be scanned according to rate of false alarm.Wherein, the quantity of determined assessor is more, and the rate of false alarm of this dangerous paper sample is lower.

Such as, for the assessor dangerous paper sample being reported as virus document, can arrange should the accuracy rate of dangerous file to each assessor, accuracy rate is added and value, deduct and be worth the rate of false alarm of dangerous paper sample with 1, choose rate of false alarm and be greater than the dangerous paper sample of default rate of false alarm threshold values as dangerous paper sample to be scanned.

Further, also comprising for the reported hazard paper sample determined after step S410 is the assessor of virus document, chooses the assessor for scanning this dangerous paper sample according to the more new record of assessor and/or the scanning record of assessor.

For each assessor, each dangerous paper sample to be scanned determined, the number of times of this dangerous paper sample is scanned according to this assessor, calculating the sweep spacing that this dangerous paper sample corresponds to this assessor, choosing the assessor for scanning dangerous paper sample according to sweep spacing.Wherein, sweep spacing is longer more at most for the number of times of scanning.Such as, formula T=(logN) × 1.5+1 is adopted to calculate sweep spacing.N is the number of times that certain assessor scans the scanning of certain dangerous paper sample, and T is the sweep spacing that this dangerous paper sample corresponds to this assessor.

Wherein, dangerous paper sample being defined as in the assessor of virus document, assessor for scanning dangerous paper sample can being chosen according to the more new record of each assessor.Such as, the assessor upgraded was carried out be chosen at last scan from assessor after according to more new record.

Institute's method also comprises:

When the request whether reception inquiry file sample is safe, in daily record, record the request received.

According to the record in daily record, be extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, the paper sample of extraction is for enlivening paper sample.Enliven paper sample, for temperature is higher, the frequency be queried is greater than the paper sample of predetermined threshold value.

Thus, when scanning grey paper sample, the rate of failing to report that the described attribute according to grey paper sample obtains ash discharge paper sample specifically comprises: extract grey paper sample from enlivening paper sample, draws the rate of failing to report of this grey paper sample according to the attribute of the grey paper sample extracted.Describedly choose grey paper sample to be scanned according to rate of failing to report and specifically comprise from the grey paper sample stored: from the grey paper sample extracted, choose the grey paper sample that rate of failing to report is greater than default rate of failing to report threshold values, be grey paper sample to be scanned with the grey paper sample chosen.

When scanning dangerous paper sample, describedly determine that reported hazard paper sample is that the assessor of virus document specifically comprises: extracting dangerous paper sample from enlivening paper sample, determining to report that the dangerous paper sample extracted is the assessor of virus document.Describedly choose dangerous paper sample to be scanned according to rate of false alarm and specifically comprise from the dangerous paper sample stored: from the dangerous paper sample extracted, choose the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values, be dangerous paper sample to be scanned with the mistake paper sample chosen.

In this instantiation, the MD5(Message Digest Algorithm 5 with paper sample) value is the mark of paper sample.In addition, also can using the character string of 40 byte lengths of md5+sha1 as the unique identification of paper sample, to avoid being only mark with md5, the identification collision caused, namely when the md5 value calculated two different paper samples is identical, the identification collision of these two paper samples.In paper sample information bank, store attribute information and other relevant informations of each paper sample, such as, for each paper sample, whether be black or grey paper sample, report that it is the assessor etc. of virus document if storing the size of paper sample, path, operation behavior and paper sample.

See Fig. 5, show in the scan method of paper sample according to an embodiment of the invention the process flow diagram that grey paper sample scans.

Step S510, receives the request whether inquiry file sample is safe, returns the scanning result of the request file sample of storage, record the request received in daily record.

Particularly, the request of reception comprises the MD5 value of paper sample, searches scanning result according to MD5 value, and presses the request of MD5 value record.

Step S520, according to the record in daily record, is extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, and the paper sample of extraction is for enlivening paper sample.

Step S530, grey paper sample is extracted from enlivening paper sample, from paper sample information bank, the attribute of this grey paper sample is obtained according to the MD5 value of this grey paper sample, draw the rate of failing to report of this grey paper sample according to the attribute obtained, from the grey paper sample extracted, select drawn rate of failing to report to be greater than the grey paper sample of default rate of failing to report threshold values.

Step S540, chooses the assessor for scanning grey paper sample according to the more new record of each assessor and the scanning record of assessor.

Step S550, uses the grey paper sample that the assessor scanning chosen obtains, and memory scanning result.

See Fig. 6, show in the scan method of paper sample according to an embodiment of the invention the process flow diagram that dangerous paper sample scans.

Step S610, receives the request whether inquiry file sample is safe, returns the scanning result of the request file sample of storage, record the request received in daily record.

Step S620, according to the record in daily record, is extracted in the paper sample that inquiry times in Preset Time is greater than preset heat threshold values, and the paper sample of extraction is for enlivening paper sample.

Step S630, extracts dangerous paper sample from enlivening paper sample, and the MD5 value according to this dangerous paper sample reads information in information bank, determines to report that the dangerous paper sample extracted is the assessor of virus document.

Step S640, draws the rate of false alarm of the dangerous paper sample of extraction according to the assessor determined, choose rate of false alarm and be greater than the dangerous paper sample of default rate of false alarm threshold values as dangerous paper sample to be scanned from the dangerous paper sample extracted.

Step S650, for each dangerous paper sample to be scanned, being the assessor of virus document from this dangerous paper sample of the report determined, choosing the assessor for scanning this dangerous paper sample according to the more new record of assessor and the scanning record of assessor.

Step S660, for each dangerous paper sample to be scanned, the assessor chosen is used to rescan this dangerous paper sample, if scanning result is this dangerous paper sample is no longer virus document, then determine that this dangerous paper sample is by the paper sample reported by mistake, go wrong report to operate to this dangerous paper sample.

Above file scanning method of the present invention is illustrated, while the method can ensure to make up and fail to report and revise wrong report, decrease the workload of scanning, solve thus and need paper sample all to scan when scanning, cause the problem that consumption of natural resource amount is large, achieve the resource of saving and carrying out the equipment scanned, accelerate scan efficiency, the beneficial effect of sweep velocity is provided.

Intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with display at this algorithm provided.Various general-purpose system also can with use based on together with this teaching.According to description above, the structure constructed required by this type systematic is apparent.In addition, the present invention is not also for any certain programmed language.It should be understood that and various programming language can be utilized to realize content of the present invention described here, and the description done language-specific is above to disclose preferred forms of the present invention.

In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.

In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in the following claims, the one of any of embodiment required for protection can use with arbitrary array mode.

All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the scanning system of the paper sample of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.

The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.

Claims

1. a scan method for paper sample, described method comprises:

Described grey paper sample is the paper sample of security the unknown;

Obtain the rate of failing to report of ash discharge paper sample according to the attribute of grey paper sample, from the grey paper sample stored, choose grey paper sample to be scanned according to rate of failing to report;

Also comprise before the described attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample:

2. method according to claim 1, wherein,

Described method also comprises:

3. method according to claim 2, wherein,

Describedly determine that reported hazard paper sample is also comprise after the assessor of virus document:

4. the method according to any one of claims 1 to 3, wherein,

Described method also comprises:

5. method according to claim 4, wherein,

The rate of failing to report that the described attribute according to grey paper sample obtains ash discharge paper sample specifically comprises:

6. method according to claim 4, wherein,

Describedly determine that reported hazard paper sample is that the assessor of virus document specifically comprises:

7. method according to claim 1, wherein,

8. method according to claim 7, wherein,

The statistics that the feature of described basis to virus document is added up and drawn, and the attribute of grey paper sample, calculating this grey paper sample specifically may comprise for the probability of virus document:

And/or,

9. method according to claim 1, wherein,

The described assessor chosen for scanning grey paper sample according to the scanning record of each assessor specifically comprises:

10. method according to claim 1, wherein,

The described assessor chosen for scanning grey paper sample according to the more new record of each assessor specifically comprises:

The scanning system of 11. 1 kinds of paper samples, described system comprises: sample storage device, killing engine, scan schedule device and comprise the scan sample device of multiple assessor;

Described sample storage device, is suitable for storage file sample;

Described grey paper sample is the paper sample of security the unknown;

Wherein, described scan schedule device, is specifically suitable for the rate of failing to report obtaining ash discharge paper sample according to the attribute of grey paper sample, chooses grey paper sample to be scanned according to rate of failing to report from the grey paper sample stored;

Described scan schedule device, also be suitable for before the rate of failing to report obtaining ash discharge paper sample according to the attribute of grey paper sample, judge that whether the Late Cambrian time of grey paper sample is early than Preset Time threshold values, if, then detect that the rate of failing to report of this grey paper sample is 0, if not, then the operation that the described attribute according to grey paper sample obtains the rate of failing to report of ash discharge paper sample is carried out.

12. systems according to claim 11, wherein,

Described scan schedule device, is also suitable for for the dangerous paper sample in paper sample, and determine that reported hazard paper sample is the assessor of virus document, described dangerous paper sample is the paper sample that identified device is reported as virus document;

13. systems according to claim 12, wherein,

Described scan schedule device, also be suitable for after determining that reported hazard paper sample is the assessor of virus document, the rate of false alarm of dangerous paper sample is drawn according to the assessor determined, set up the corresponding relation of assessor quantity and rate of false alarm, from the dangerous paper sample that described sample storage device stores, choose dangerous paper sample to be scanned according to rate of false alarm;

14. according to claim 11 to the system described in 13 any one, wherein,

Described killing engine, is also suitable for, when receiving the request of inquiry file sample whether safety, recording the request received in daily record;

15. systems according to claim 14, wherein,

Described scan schedule device, specifically be suitable for extracting grey paper sample from enlivening paper sample, the rate of failing to report of this grey paper sample is drawn according to the attribute of the grey paper sample extracted, from the grey paper sample extracted, choosing the grey paper sample that rate of failing to report is greater than default rate of failing to report threshold values according to drawn rate of failing to report, is grey paper sample to be scanned with the grey paper sample chosen.

16. systems according to claim 14, wherein,

Described scan schedule device, specifically be suitable for extracting dangerous paper sample from enlivening paper sample, determine to report that the dangerous paper sample extracted is the assessor of virus document, the rate of false alarm of the dangerous paper sample of extraction is drawn according to the assessor determined, from the dangerous paper sample extracted, choosing the dangerous paper sample that rate of false alarm is greater than default rate of false alarm threshold values according to rate of false alarm, is dangerous paper sample to be scanned with the dangerous paper sample chosen.

17. systems according to claim 11, wherein,

Described scan schedule device, specifically be suitable for the statistics drawn according to adding up the feature of virus document, and the attribute of grey paper sample, calculating this grey paper sample may be the probability of virus document, with this probability for calculating the parameter of the rate of failing to report of this grey paper sample.

18. systems according to claim 17, wherein,

Described scan schedule device, is specifically suitable for the statistics drawn according to adding up the size of virus document, and the size of grey paper sample, and calculating this grey paper sample may be the probability of virus document;

And/or,

19. systems according to claim 11, wherein,

Described scan schedule device, specifically be suitable for for each assessor, each grey paper sample to be scanned, the number of times of this grey paper sample is scanned according to this assessor, calculating the sweep spacing that this grey paper sample corresponds to this assessor, choosing the assessor for scanning grey paper sample according to sweep spacing.

20. systems according to claim 11, wherein,

Described scan schedule device, is specifically suitable for carrying out according to more new record the assessor that upgrades be chosen at last scan from each assessor after.