CN104021338A - Method, device and system for startup item detection - Google Patents

Method, device and system for startup item detection Download PDF

Info

Publication number
CN104021338A
CN104021338A CN201410242851.7A CN201410242851A CN104021338A CN 104021338 A CN104021338 A CN 104021338A CN 201410242851 A CN201410242851 A CN 201410242851A CN 104021338 A CN104021338 A CN 104021338A
Authority
CN
China
Prior art keywords
startup item
detected
information
query result
startup
Prior art date
Application number
CN201410242851.7A
Other languages
Chinese (zh)
Inventor
汤迪斌
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Priority to CN201410242851.7A priority Critical patent/CN104021338A/en
Publication of CN104021338A publication Critical patent/CN104021338A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot

Abstract

The invention provides a method, device and system for startup item detection. The method comprises the steps that startup item extended information of startup items to be detected is obtained, wherein the startup item extended information is identifying information which can identify the startup items to be detected; a query request for querying additional information of the startup items to be detected is sent to a server, wherein the query request carries the startup item extended information; a query result returned by the server is received, and the startup items to be detected are processed according to the query result. By the adoption of the technical scheme, the startup items which bypass existing boot startup item management software can be detected, and the suspicious or malicious startup items are processed in time. In this way, system resources are saved, the system startup speed is increased, and therefore a good environment for using the system is provided for a user.

Description

Method, Apparatus and system that startup item detects

Technical field

The present invention relates to field of information security technology, particularly relate to method, Apparatus and system that a kind of startup item detects.

Background technology

Along with the development of technology, the application program that meets the different demands of user emerges in multitude, and many application programs start fast in order to respond user's operation, have all selected with os starting self-starting.Startup item, just refer to this with os starting on foreground or backstage automatically move the program of loading.

In correlation technique, some softwares are walked around the detection of present starting up's item administrative class software by various means, realize the rear startup automatically of start, wait for an opportunity to play advertisement or install and promote software according to high in the clouds instruction.Meeting occupying system resources, causes system toggle speed slack-off on the one hand; Can bother user on the other hand, to user, bring great inconvenience.

Summary of the invention

In view of the above problems, the present invention has been proposed so that method, device and the corresponding system that provides a kind of startup item that overcomes the problems referred to above or address the above problem at least in part to detect.

According to one aspect of the present invention, a kind of method that provides startup item to detect, comprising: obtain the startup item extend information of startup item to be detected, wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected; Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information; Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.

Alternatively, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm (Message Digest Algorithm5, MD5), file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

Alternatively, described startup item extend information comprises when a plurality of, and described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

Alternatively, if the identification information that described Query Result is described startup item to be detected, describedly according to described Query Result, described startup item to be detected is processed, comprise: according to the identification information of described startup item to be detected, from additional information storehouse, obtain described startup item to be detected, the additional information except described identification information; According to the described additional information of obtaining, described startup item to be detected is processed.

Alternatively, said method also comprises the processing command receiving from user, and wherein, described processing command is determined according to described Query Result by described user; According to described processing command, described startup item to be detected is processed.

Accordingly, a kind of method that provides startup item to detect, comprising:

Reception is from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected; According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.

Alternatively, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

Alternatively, described startup item extend information comprises when a plurality of, and described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

Alternatively, according to described startup item extend information, obtain Query Result, comprising: the identification information of inquiring about the described to be detected startup item corresponding with described startup item extend information; According to the identification information of described startup item to be detected, obtain Query Result.

According to another aspect of the present invention, the device that also provides a kind of startup item to detect, be applied to client, comprise: acquisition module, be configured to obtain the startup item extend information of startup item to be detected, wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected; Enquiry module, the inquiry request that is configured to send the additional information of inquiring about described startup item to be detected is to server, and wherein, described inquiry request carries described startup item extend information; Processing module, is configured to receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.

Alternatively, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

Alternatively, described startup item extend information comprises when a plurality of, and described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

Alternatively, if the identification information that described Query Result is described startup item to be detected, described processing module is also configured to: according to the identification information of described startup item to be detected, from additional information storehouse, obtain described startup item to be detected, the additional information except described identification information; According to the described additional information of obtaining, described startup item to be detected is processed.

Alternatively, said apparatus also comprises: order receiver module, be configured to receive the processing command from user, and wherein, described processing command is determined according to described Query Result by described user; Described processing module, is also configured to according to described processing command, described startup item to be detected be processed.

Accordingly, the device that also provides a kind of startup item to detect, be applied to server, comprise: inquiry request receiver module, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected; Sending module, is configured to obtain Query Result according to described startup item extend information, and Query Result is sent to described client.

Alternatively, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

Alternatively, described startup item extend information comprises when a plurality of, and described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

Alternatively, described sending module is also configured to: the identification information of inquiring about the described to be detected startup item corresponding with described startup item extend information; According to the identification information of described startup item to be detected, obtain Query Result.

The system that the present invention also provides a kind of startup item to detect, comprises above-mentioned client and server, wherein, described client, be configured to obtain the startup item extend information of startup item to be detected, wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected; Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information; Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed; Described server, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected; According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.

According to technical scheme of the present invention, utilize the startup item extend information of startup item to be detected to detect startup item to be detected, startup item extend information can comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.Because this startup item extend information is for identifying the identifying information of startup item to be detected, therefore the startup item of walking around present starting up's item administrative class software can be detected, and in time startup item suspicious or malice is processed, save system resource, raising system toggle speed, provides a good environment of using system to user.And the embodiment of the present invention can also be processed startup item to be detected according to the processing command of user's input, user has initiative, has improved user's experience.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

According to the detailed description to the specific embodiment of the invention by reference to the accompanying drawings below, those skilled in the art will understand above-mentioned and other objects, advantage and feature of the present invention more.

Accompanying drawing explanation

By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:

Fig. 1 shows the process flow diagram of the method detecting according to the startup item of one embodiment of the invention client-side;

Fig. 2 shows the process flow diagram of the method detecting according to the startup item of one embodiment of the invention server side;

Fig. 3 shows the process flow diagram in conjunction with the method for the startup item detection of client-side and server side according to one embodiment of the invention;

Fig. 4 shows the structural representation of the device detecting according to the startup item of one embodiment of the invention client-side;

Fig. 5 shows the structural representation of the device detecting according to the startup item of one embodiment of the invention server side; And

Fig. 6 shows the structural representation of the system detecting according to one embodiment of the invention startup item.

Embodiment

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.

In correlation technique, mention, some softwares are walked around the detection of present starting up's item administrative class software by various means, realize the rear startup automatically of start, wait for an opportunity to play advertisement or install and promote software according to high in the clouds instruction.Meeting occupying system resources, causes system toggle speed slack-off on the one hand; Can bother user on the other hand, to user, bring great inconvenience.

For solving the problems of the technologies described above, a kind of method that the embodiment of the present invention provides startup item to detect.Fig. 1 shows the process flow diagram of the method detecting according to the startup item of one embodiment of the invention client-side.As shown in Figure 1, the method at least comprises the following steps S102 to step S106.

Step S102, obtain the startup item extend information of startup item to be detected, wherein, startup item extend information is for identifying the identifying information of startup item to be detected.

The inquiry request of the additional information of step S104, transmission inquiry startup item to be detected is to server, and wherein, inquiry request carries startup item extend information.

The Query Result that step S106, reception server return, and according to Query Result, startup item to be detected is processed.

According to technical scheme of the present invention, utilize the startup item extend information of startup item to be detected to detect startup item to be detected, startup item extend information can comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.Because this startup item extend information is for identifying the identifying information of startup item to be detected, therefore the startup item of walking around present starting up's item administrative class software can be detected, and in time startup item suspicious or malice is processed, save system resource, raising system toggle speed, provides a good environment of using system to user.And the embodiment of the present invention can also be processed startup item to be detected according to the processing command of user's input, user has initiative, has improved user's experience.

In one embodiment, in above-mentioned steps S102, startup item extend information be for identifying the identifying information of startup item to be detected, one of can comprise in filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location at least.Further, if startup item extend information has when a plurality of, a plurality of startup item extend informations can be obtained to a character string according to default rule of combination combination, for example, startup item extend information is file size, file MD5 and file modification time, wherein, file size is 120KB, MD5=a5d0b1ceab27f4e7, the file modification time 20140501, the character string that three's combination obtains can be " 120KB a5d0b1ceab27f4e720140501 ", also can be " a5d0b1ceab27f4e7120KB20140501 ", certainly can also be the character string obtaining by other rule of combination.Subsequently, when step S104 sends inquiry request, in inquiry request, carry this character string, while making server receive inquiry request, by parsing, obtain this character string, and then according to this character string, inquire about the additional information of startup item to be detected.

The additional information that above step S104 mentions can be the identification information of startup item, the detailed recommended information of the display Name of forbidding rate, startup item of startup item, startup item, level of security information of startup item etc., the additional information here can be by other users of server statistical study, the service condition of startup item program, feedack etc. to be generated, server can regularly upgrade, with authenticity, the validity of guarantee information.In the embodiment of the present invention, the corresponding relation of server is pre-stored startup item extend information and additional information, the inquiry request that in step S104, client sends the additional information of inquiring about startup item to be detected is to server, the startup item extend information that server parses obtains carrying in inquiry request, and from pre-stored corresponding relation, inquire the additional information corresponding to startup item extend information of parsing, and then return to Query Result to client.For example, additional information is the identification information of startup item, the startup item extend information that server parses obtains carrying in inquiry request, and the identification information of startup item corresponding to the startup item extend information that inquires parsing from pre-stored corresponding relation, and then inquire other additional informations according to the identification information of startup item, as level of security information of the detailed recommended information of the display Name of forbidding rate, startup item of startup item, startup item, startup item etc., afterwards, these additional informations are sent to client.

In addition, if during the identification information that Query Result is startup item to be detected, above-mentioned steps S106 can be embodied as the identification information according to startup item to be detected, from local additional information storehouse, obtain additional information startup item to be detected, except identification information (as level of security information of the detailed recommended information of the display Name of forbidding rate, startup item of startup item, startup item, startup item etc.), afterwards, according to the additional information of obtaining, startup item to be detected is processed, for example, No starting item, delete startup item, the system that is delayed to starts when idle etc.And whether client can be local known program file according to each program file of the identification information judgment startup item of startup item, to guarantee the knowability of client to local program, also guaranteed the security of local program simultaneously.Wherein, the listed files that can have program stored therein in client, when scanned program file is not in program file list, client judges that this program file is as unknown program file.

Further, after the Query Result that client returns to server, can also export Query Result, and then startup item to be detected is processed according to Query Result by user, concrete embodiment can be: receive the processing command from user, wherein, processing command is determined according to Query Result by user, and then according to processing command, startup item to be detected is processed.Here processing command can be the order of No starting item, the order of deleting startup item, the order that starts when idle of the system that is delayed to etc., the invention is not restricted to this.

Accordingly, Fig. 2 shows the process flow diagram of the method detecting according to the startup item of one embodiment of the invention server side.As shown in Figure 2, the method at least comprises the following steps S202 to step S204.

Step S202, receive the inquiry request from the additional information of the inquiry startup item to be detected of client, wherein, inquiry request carries the startup item extend information of startup item to be detected, and startup item extend information is for identifying the identifying information of startup item to be detected.

Step S204, according to startup item extend information, obtain above-mentioned Query Result, and Query Result is sent to client.

In one embodiment, in above-mentioned steps S202, startup item extend information be for identifying the identifying information of startup item to be detected, can be in filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location one of at least.Further, if startup item extend information has when a plurality of, inquiry request carries a plurality of startup item extend informations and obtains a character string according to default rule of combination combination, can, referring to the detailed introduction of earlier figures 1 partial content, repeat no more herein.

The additional information that above step S202 mentions can be the identification information of startup item, the detailed recommended information of the display Name of forbidding rate, startup item of startup item, startup item, level of security information of startup item etc., the additional information here can be by other users of server statistical study, the service condition of startup item program, feedack etc. to be generated, server can regularly upgrade, with authenticity, the validity of guarantee information.When level of security information that additional information is startup item, also can be the corresponding relation that server end is preserved startup item extend information and level of security information in advance, the definite level of security information of server end can be self-defined, such as comprising the ranks such as safe, dangerous, unknown, also can adopt the modes such as one-level, secondary, three grades to distinguish, as long as can embody the whether state of safety of each module.In the embodiment of the present invention, the corresponding relation of server is pre-stored startup item extend information and additional information, at step S202, receive after the inquiry request from the additional information of the inquiry startup item to be detected of client, the startup item extend information that server parses obtains carrying in inquiry request, and from pre-stored corresponding relation, inquire the additional information corresponding to startup item extend information of parsing, and then return to Query Result to client.

Further, when additional information is the identification information of startup item, whether client can be local known program file according to each program file of the identification information judgment startup item of startup item, to guarantee the knowability of client to local program, has also guaranteed the security of local program simultaneously.Wherein, the listed files that can have program stored therein in client, when scanned program file is not in program file list, client judges that this program file is as unknown program file.When client decision procedure file is unknown program file, can send to server the inquiry request of the additional information of inquiry startup item, the startup item extend information that server parses obtains carrying in inquiry request, and the identification information of startup item corresponding to the startup item extend information that inquires parsing from pre-stored corresponding relation, and then inquire other additional informations according to the identification information of startup item, as the rate of forbidding of startup item, the display Name of startup item, the detailed recommended information of startup item, level of security information of startup item etc., afterwards, these additional informations are sent to client.Thereby, the method that the embodiment of the present invention provides make client can be in real time, dynamically from server side, obtain the disposal route for unknown program file, and can to rogue program, carry out killing in time, solved the problem of utilizing wooden horse to break through cloud killing in prior art.In addition, in prior art, by upgrade local feature database and engine program file, could detect the newborn rogue program of also killing compares, this method has also reduced by finding that startup item problem is to the time of repairing, thereby accelerated the blow speed to newborn rogue program, also reduce the information storage of server, and then guaranteed the safety of client-side program.

More than introduced the multiple implementation of each link in the embodiment shown in Fig. 1 and Fig. 2, the method that the startup item embodiment of the present invention being provided below by concrete preferred embodiment detects is described further:

Fig. 3 shows the process flow diagram in conjunction with the method for the startup item detection of client-side and server side according to one embodiment of the invention.As shown in Figure 3, the method comprises the following steps S302 to step S312.

Step S302, client scan startup item to be detected, obtain the startup item extend information of startup item to be detected, and wherein, startup item extend information is for identifying the identifying information of startup item to be detected.

In this step, startup item extend information one of can comprise in filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location at least, can, referring to the detailed introduction of earlier figures 1 partial content, repeat no more herein.

The inquiry request that step S304, client send the additional information of inquiring about startup item to be detected is to server, and wherein, inquiry request carries startup item extend information.

Step S306, server receive the inquiry request from the additional information of the inquiry startup item to be detected of client, wherein, inquiry request carries the startup item extend information of startup item to be detected, and startup item extend information is for identifying the identifying information of startup item to be detected.

The startup item extend information that step S308, server parses obtain carrying in inquiry request, and from pre-stored corresponding relation, inquire the identification information of startup item corresponding to the startup item extend information of parsing.

The corresponding relation of the identification information of server is pre-stored startup item extend information and startup item, and the identification information of startup item and the corresponding relation of other additional informations.

Step S310, server inquire other additional informations according to the identification information of startup item, and are sent to client.

The Query Result that step S312, client server return, and according to Query Result, startup item to be detected is processed.

Wherein, after the Query Result that client returns to server, output Query Result, and then receive the processing command from user, wherein, processing command is determined according to Query Result by user, and according to processing command, startup item to be detected is processed.The orders that the processing command here can be the order of No starting item, the order of deleting startup item, the system that is delayed to starts when idle etc., the invention is not restricted to this.

It should be noted that, in practical application, above-mentioned all optional embodiments can adopt the mode combination in any of combination, form optional embodiment of the present invention, and this is no longer going to repeat them.

Based on same inventive concept, the device that the embodiment of the present invention also provides a kind of startup item to detect, the method detecting to realize above-mentioned startup item.

Fig. 4 shows the structural representation of the device detecting according to the startup item of one embodiment of the invention client-side.Referring to Fig. 4, this device at least comprises: acquisition module 410, enquiry module 420 and processing module 430.

Each that now introduce device that the startup item of embodiment of the present invention client-side detects forms or the function of device and the annexation between each several part.

Acquisition module 410, is configured to obtain the startup item extend information of startup item to be detected, and wherein, startup item extend information is for identifying the identifying information of startup item to be detected.

Enquiry module 420, is coupled with acquisition module 410, and the inquiry request that is configured to send the additional information of inquiring about startup item to be detected is to server, and wherein, inquiry request carries startup item extend information.

Processing module 430, is coupled with enquiry module 420, is configured to the Query Result that reception server returns, and according to Query Result, startup item to be detected is processed.

In one embodiment, startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

In one embodiment, startup item extend information comprises when a plurality of, and inquiry request carries the character string that a plurality of startup item extend informations obtain according to default rule of combination combination.

In one embodiment, if the identification information that Query Result is startup item to be detected, processing module 430 is also configured to: according to the identification information of startup item to be detected, obtain additional information startup item to be detected, except identification information from additional information storehouse; According to the additional information of obtaining, startup item to be detected is processed.

In one embodiment, as shown in Figure 4, the device that startup item detects can also comprise: order receiver module 440.

Order receiver module 440, is coupled with processing module 430, is configured to receive the processing command from user, and wherein, processing command is determined according to Query Result by user.

Processing module 430, is also configured to according to processing command, startup item to be detected be processed.

Accordingly, Fig. 5 shows the structural representation of the device detecting according to the startup item of one embodiment of the invention server side.Referring to Fig. 5, this device at least comprises: inquiry request receiver module 510 and sending module 520.

Each that now introduce device that the startup item of embodiment of the present invention server side detects forms or the function of device and the annexation between each several part.

Inquiry request receiver module 510, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, inquiry request carries the startup item extend information of startup item to be detected, and startup item extend information is for identifying the identifying information of startup item to be detected.

Sending module 520, is coupled with inquiry request receiver module 510, is configured to obtain Query Result according to startup item extend information, and Query Result is sent to client.

In one embodiment, startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

In one embodiment, startup item extend information comprises when a plurality of, and inquiry request carries the character string that a plurality of startup item extend informations obtain according to default rule of combination combination.

In one embodiment, sending module 520 is also configured to: the identification information of inquiring about the to be detected startup item corresponding with startup item extend information; According to the identification information of startup item to be detected, obtain Query Result.

Method and device that startup item based on above each embodiment provides detects, based on same inventive concept, the system that the embodiment of the present invention also provides a kind of startup item to detect, shown in Figure 6, this system at least comprises: the client 610 (as shown in Figure 4) of above introducing and the server 620 (as shown in Figure 5) of above introducing.

Now introduce each device of system or the function of composition and the annexation between each several part of the startup item detection of the embodiment of the present invention:

Client 610, is configured to obtain the startup item extend information of startup item to be detected, and wherein, startup item extend information is for identifying the identifying information of startup item to be detected; Send the inquiry request of the additional information of inquiring about startup item to be detected to server, wherein, inquiry request carries startup item extend information; The Query Result that reception server returns, and according to Query Result, startup item to be detected is processed;

Server 620, be coupled with client 610, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, inquiry request carries the startup item extend information of startup item to be detected, and startup item extend information is for identifying the identifying information of startup item to be detected; According to startup item extend information, obtain Query Result, and Query Result is sent to client.

According to the combination of above-mentioned any one preferred embodiment or a plurality of preferred embodiments, the embodiment of the present invention can reach following beneficial effect:

According to technical scheme of the present invention, utilize the startup item extend information of startup item to be detected to detect startup item to be detected, startup item extend information can comprise following one of at least: filename, file path, file size, file internalname, file MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.Because this startup item extend information is for identifying the identifying information of startup item to be detected, therefore the startup item of walking around present starting up's item administrative class software can be detected, and in time startup item suspicious or malice is processed, save system resource, raising system toggle speed, provides a good environment of using system to user.And the embodiment of the present invention can also be processed startup item to be detected according to the processing command of user's input, user has initiative, has improved user's experience.

In the instructions that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that can use in practice microprocessor or digital signal processor (DSP) to realize the some or all parts in the device detecting according to the startup item of the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.

It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.

So far, those skilled in the art will recognize that, although detailed, illustrate and described a plurality of exemplary embodiment of the present invention herein, but, without departing from the spirit and scope of the present invention, still can directly determine or derive many other modification or the modification that meets the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or modifications.

The method that the embodiment of the invention also discloses A1, the detection of a kind of startup item, comprising:

Obtain the startup item extend information of startup item to be detected, wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected;

Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information;

Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.

A2, according to the method described in A1, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

A3, according to the method described in A1 or A2, wherein, described startup item extend information comprises when a plurality of, described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

A4, according to the method described in A1 to A3 any one, wherein, if the identification information that described Query Result is described startup item to be detected is describedly processed described startup item to be detected according to described Query Result, comprising:

According to the identification information of described startup item to be detected, from additional information storehouse, obtain described startup item to be detected, the additional information except described identification information;

According to the described additional information of obtaining, described startup item to be detected is processed.

A5, according to the method described in A1 to A4 any one, wherein, also comprise:

Reception is from user's processing command, and wherein, described processing command is determined according to described Query Result by described user;

According to described processing command, described startup item to be detected is processed.

A kind of method that A6, startup item detect, comprising:

Reception is from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected;

According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.

A7, according to the method described in A6, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

A8, according to the method described in A6 or A7, wherein, described startup item extend information comprises when a plurality of, described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

A9, according to the method described in A6 to A8 any one, wherein, according to described startup item extend information, obtain Query Result, comprising:

Inquire about the identification information of the described to be detected startup item corresponding with described startup item extend information;

According to the identification information of described startup item to be detected, obtain Query Result.

The device that B10, a kind of startup item detect, is applied to client, comprising:

Acquisition module, is configured to obtain the startup item extend information of startup item to be detected, and wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected;

Enquiry module, the inquiry request that is configured to send the additional information of inquiring about described startup item to be detected is to server, and wherein, described inquiry request carries described startup item extend information;

Processing module, is configured to receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.

B11, according to the device described in B10, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

B12, according to the device described in B10 or B11, wherein, described startup item extend information comprises when a plurality of, described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

B13, according to the device described in B10 to B12 any one, wherein, if the identification information that described Query Result is described startup item to be detected, described processing module is also configured to:

According to the identification information of described startup item to be detected, from additional information storehouse, obtain described startup item to be detected, the additional information except described identification information;

According to the described additional information of obtaining, described startup item to be detected is processed.

B14, according to the device described in B10 to B13 any one, wherein, also comprise:

Order receiver module, is configured to receive the processing command from user, and wherein, described processing command is determined according to described Query Result by described user;

Described processing module, is also configured to according to described processing command, described startup item to be detected be processed.

The device that B15, a kind of startup item detect, is applied to server, comprising:

Inquiry request receiver module, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected;

Sending module, is configured to obtain Query Result according to described startup item extend information, and Query Result is sent to described client.

B16, according to the device described in B15, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.

B17, according to the device described in B15 or B16, wherein, described startup item extend information comprises when a plurality of, described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.

B18, according to the device described in B15 to B17 any one, wherein, described sending module is also configured to:

Inquire about the identification information of the described to be detected startup item corresponding with described startup item extend information;

According to the identification information of described startup item to be detected, obtain Query Result.

The system that B19, a kind of startup item detect, comprises client as described in B10 to B14 any one and the server as described in B15 to B18 any one, wherein,

Described client, is configured to obtain the startup item extend information of startup item to be detected, and wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected; Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information; Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed;

Described server, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected; According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.

Claims (10)

1. the method that startup item detects, comprising:
Obtain the startup item extend information of startup item to be detected, wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected;
Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information;
Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.
2. method according to claim 1, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.
3. method according to claim 1 and 2, wherein, described startup item extend information comprises that when a plurality of, described inquiry request carries the character string that a plurality of described startup item extend informations obtain according to default rule of combination combination.
4. according to the method described in claims 1 to 3 any one, wherein, if the identification information that described Query Result is described startup item to be detected is describedly processed described startup item to be detected according to described Query Result, comprising:
According to the identification information of described startup item to be detected, from additional information storehouse, obtain described startup item to be detected, the additional information except described identification information;
According to the described additional information of obtaining, described startup item to be detected is processed.
5. according to the method described in claim 1 to 4 any one, wherein, also comprise:
Reception is from user's processing command, and wherein, described processing command is determined according to described Query Result by described user;
According to described processing command, described startup item to be detected is processed.
6. the method that startup item detects, comprising:
Reception is from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected;
According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.
7. method according to claim 6, wherein, described startup item extend information comprise following one of at least: filename, file path, file size, file internalname, fileinfo digest algorithm MD5, file signature company information, file modification time, document creation time, file attribute, startup item title, service name, registry-location.
8. the device that startup item detects, is applied to client, comprising:
Acquisition module, is configured to obtain the startup item extend information of startup item to be detected, and wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected;
Enquiry module, the inquiry request that is configured to send the additional information of inquiring about described startup item to be detected is to server, and wherein, described inquiry request carries described startup item extend information;
Processing module, is configured to receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed.
9. the device that startup item detects, is applied to server, comprising:
Inquiry request receiver module, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected;
Sending module, is configured to obtain Query Result according to described startup item extend information, and Query Result is sent to described client.
10. the system that startup item detects, comprises client as claimed in claim 8 and server claimed in claim 9, wherein,
Described client, is configured to obtain the startup item extend information of startup item to be detected, and wherein, described startup item extend information is for identifying the identifying information of described startup item to be detected; Send the inquiry request of the additional information of inquiring about described startup item to be detected to server, wherein, described inquiry request carries described startup item extend information; Receive the Query Result that described server returns, and according to described Query Result, described startup item to be detected is processed;
Described server, be configured to reception from the inquiry request of the additional information of the inquiry startup item to be detected of client, wherein, described inquiry request carries the startup item extend information of described startup item to be detected, and described startup item extend information is for identifying the identifying information of described startup item to be detected; According to described startup item extend information, obtain Query Result, and described Query Result is sent to described client.
CN201410242851.7A 2014-06-03 2014-06-03 Method, device and system for startup item detection CN104021338A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410242851.7A CN104021338A (en) 2014-06-03 2014-06-03 Method, device and system for startup item detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410242851.7A CN104021338A (en) 2014-06-03 2014-06-03 Method, device and system for startup item detection

Publications (1)

Publication Number Publication Date
CN104021338A true CN104021338A (en) 2014-09-03

Family

ID=51438085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410242851.7A CN104021338A (en) 2014-06-03 2014-06-03 Method, device and system for startup item detection

Country Status (1)

Country Link
CN (1) CN104021338A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104199710A (en) * 2014-09-19 2014-12-10 珠海市君天电子科技有限公司 Startup recognition method and device
CN104503807A (en) * 2014-12-31 2015-04-08 北京奇虎科技有限公司 Management method and device of starting items
CN106845216A (en) * 2016-12-30 2017-06-13 北京瑞星信息技术股份有限公司 Checking and killing method and device based on virtualized environment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090320134A1 (en) * 2008-06-24 2009-12-24 Corcoran Sean D Detecting Secondary Infections in Virus Scanning
CN201477598U (en) * 2009-09-01 2010-05-19 北京鼎普科技股份有限公司 Terminal Trojan monitoring device
CN102663288A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Virus killing method and device thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090320134A1 (en) * 2008-06-24 2009-12-24 Corcoran Sean D Detecting Secondary Infections in Virus Scanning
CN201477598U (en) * 2009-09-01 2010-05-19 北京鼎普科技股份有限公司 Terminal Trojan monitoring device
CN102663288A (en) * 2012-03-22 2012-09-12 奇智软件(北京)有限公司 Virus killing method and device thereof

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104199710A (en) * 2014-09-19 2014-12-10 珠海市君天电子科技有限公司 Startup recognition method and device
CN104199710B (en) * 2014-09-19 2018-04-03 珠海市君天电子科技有限公司 A kind of recognition methods of startup item and device
CN104503807A (en) * 2014-12-31 2015-04-08 北京奇虎科技有限公司 Management method and device of starting items
CN106845216A (en) * 2016-12-30 2017-06-13 北京瑞星信息技术股份有限公司 Checking and killing method and device based on virtualized environment

Similar Documents

Publication Publication Date Title
JP6553524B2 (en) System and method for utilizing a dedicated computer security service
US9268946B2 (en) Quantifying the risks of applications for mobile devices
US9374338B2 (en) Remotely processing detection of undesirable network traffic content
US9560059B1 (en) System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection
US9973531B1 (en) Shellcode detection
AU2014254277B2 (en) A framework for coordination between endpoint security and network security services
US10122746B1 (en) Correlation and consolidation of analytic data for holistic view of malware attack
US9043919B2 (en) Crawling multiple markets and correlating
JP6224173B2 (en) Method and apparatus for dealing with malware
US9356937B2 (en) Disambiguating conflicting content filter rules
CN102810138B (en) A kind of restorative procedure of user side file and system
EP3251043B1 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US20150205959A1 (en) Method and apparatus for retroactively detecting malicious or otherwise undesirable software
USRE47558E1 (en) System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
KR101693370B1 (en) Fuzzy whitelisting anti-malware systems and methods
US9306968B2 (en) Systems and methods for risk rating and pro-actively detecting malicious online ads
US20170005961A1 (en) Just-In-Time, Email Embedded URL Reputation Determination
CN102332072B (en) System and method for detection of malware and management of malware-related information
US9721096B2 (en) Dynamically optimizing performance of a security appliance
US9081960B2 (en) Architecture for removable media USB-ARM
AU2012282792B2 (en) Syntactical fingerprinting
US9985978B2 (en) Method and system for misuse detection
US9715589B2 (en) Operating system consistency and malware protection
US8689330B2 (en) Instant messaging malware protection
US10192052B1 (en) System, apparatus and method for classifying a file as malicious using static scanning

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20140903

RJ01 Rejection of invention patent application after publication