CN104063663A - Computer virus scan method - Google Patents
Computer virus scan method Download PDFInfo
- Publication number
- CN104063663A CN104063663A CN201410268598.2A CN201410268598A CN104063663A CN 104063663 A CN104063663 A CN 104063663A CN 201410268598 A CN201410268598 A CN 201410268598A CN 104063663 A CN104063663 A CN 104063663A
- Authority
- CN
- China
- Prior art keywords
- file
- scanned
- scan mode
- preserving
- scan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the invention discloses a method and a device used for processing computer viruses. A plurality of virus scan modes are preset, and occupy different system resources when the file scan is carried out. The method comprises the steps of obtaining a file to be scanned; calling the corresponding virus scan mode to scan the file to be scanned according to the gradual increased sequence of the system resources which are occupied by the virus scan modes. The virus scan is carried out on the file by using the method provided by the embodiment of the invention, the corresponding virus scan mode is called according to the gradual increased sequence of the occupied system resources, the file is firstly scanned by the scan mode which occupies fewer system resources, such as an internal storage scan mode, the number of files to be scanned by the virus scan modes which occupy more system resources is reduced, the virus scan speed of a system is improved, and the system resources are saved.
Description
Patented claim of the present invention be that September 9, application number in 2011 are 201110277746.3 the applying date, name is called the dividing an application of Chinese invention patent application of " method of process computer virus and device ".
Technical field
The application relates to field of computer technology, particularly relates to a kind of method and device of process computer virus.
Background technology
Computer virus is the data of establishment or the destruction computer function that inserts in computer program, its can affect computing machine normal use and can self-replacation, the form with one group of computer instruction or program code presents conventionally.And antivirus engine is exactly a set ofly to judge whether specific program behavior is the Virus technology mechanism of (comprising suspicious program).Antivirus engine is the major part of antivirus software, be detect and find viral program, and virus base is the viral characteristic set having been found that.In virus killing process, by the feature in virus base, remove to contrast all programs or the file in machine, program or file for meeting these features, be judged to be virus.
Inventor finds in to the research process of prior art, the process that adopts each time antivirus engine to kill virus is independent mutually, once adopt antivirus engine to scan which kind of result of rear output to file before no matter, still adopt antivirus engine to scan All Files, the virus document type of finding in the twice sweep process of front and back may be identical next time.Hence one can see that, although antivirus engine has the powerful feature of virus killing, when each employing antivirus engine scans All Files, all will take a large amount of system resource.
Summary of the invention
The embodiment of the present application provides a kind of method and device of process computer virus, to solve existing antivirus engine, kills virus and all All Files is scanned each time, takies the problem of a large amount of system resources.
In order to solve the problems of the technologies described above, the embodiment of the present application discloses following technical scheme:
A method for process computer virus, sets in advance some virus scan modes, and described some virus scan modes are to carry out file when scanning shared system resource different, and described method comprises:
Obtain file to be scanned;
According to described some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode described file to be scanned is scanned.
Described some virus scan modes at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Describedly call corresponding virus scan mode described file to be scanned scanned and comprised:
Call described the first virus scan mode described file to be scanned is scanned, obtain the definite file in described file to be scanned;
Calling described the second virus scan mode only scans other file except described definite file in described file to be scanned.
Described some virus scan modes, according to occupying system resources order arrangement from small to large, comprise following at least two kinds of modes:
According to the scanning result of the scanning document of preserving in buffer memory, carry out the internal memory scan mode of virus scan, described scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and described file attribute information comprises file size, file modification time and file path;
By the blacklist preserved in advance and at least one list in white list, carry out the name single scan mode of virus scan;
By antivirus engine, carry out the engine scan mode of virus scan.
Described according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode file to be scanned is scanned and comprised:
Call described internal memory scan mode described file to be scanned is scanned, obtain the first scanning result that comprises first definite file;
Call described name single scan mode and only other file except described first definite file in described file to be scanned is scanned, obtain the second scanning result that comprises second definite file;
Call described engine scan mode and only the residue file except described second definite file in described other file is scanned, obtain the 3rd scanning result that comprises the 3rd definite file.
Adopt internal memory scan mode that described file to be scanned is scanned and comprised:
Obtain the file attribute information of file to be scanned;
Described file attribute information is mated with the file attribute information of preserving in buffer memory;
When the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, described file to be scanned is defined as to malicious file or non-malicious file, when the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
By the blacklist of preserving in advance, other file except described first definite file after the scanning of internal memory scan mode is scanned and is comprised:
The filename of preserving in advance in the filename of each file in described other file and described blacklist is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
By the white list of preserving in advance, other file except described first definite file after the scanning of internal memory scan mode is scanned and is comprised:
The filename of preserving in advance in the filename of each file in described other file and described white list is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Also comprise:
According to the scanning result of file to be scanned, by described second, determine that the file attribute of file and the 3rd definite file deposits in buffer memory.
A device for process computer virus, described device comprises:
Setting unit, for setting in advance some virus scan modes, described some virus scan modes are to carry out file when scanning shared system resource different;
Acquiring unit, for obtaining file to be scanned;
Scanning element, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned.
The some virus scan modes that arrange in described setting unit at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Described scanning element comprises:
First calls scanning element, for calling described the first virus scan mode, described file to be scanned is scanned, and obtains the definite file in described file to be scanned;
Second calls scanning element, and for calling described the second virus scan mode, only to described file to be scanned, other file except described definite file scans, and obtains the second scanning result.
Some virus scan modes of described setting unit setting are sequentially arranged from little arrival according to occupying system resources, comprise following at least two kinds of modes:
According to the scanning result of the scanning document of preserving in buffer memory, carry out the internal memory scan mode of virus scan, described scanning result comprises the file attribute that is defined as malicious file or non-malicious file, and described file attribute comprises file size, file modification time and file path;
By the blacklist preserved in advance and at least one list in white list, carry out the name single scan mode of virus scan;
By few degree engine, carry out the engine scan mode of virus scan.
Described scanning element comprises:
The first scanning element, scans described file to be scanned for calling described internal memory scan mode, obtains the first scanning result that comprises first definite file;
The second scanning element, for calling described name single scan mode, only to described file to be scanned, other file except described first definite file scans, and obtains the second scanning result that comprises second definite file;
The 3rd scanning element, for calling described engine scan mode, only to described other file, the residue file except described second definite file scans, and obtains the 3rd scanning result that comprises the 3rd definite file.
The first scanning element comprises:
Information acquisition unit, for obtaining the file attribute information of file to be scanned;
Information matches unit, mates for the file attribute information that described file attribute information is preserved with buffer memory;
Result determining unit, while mating for the file attribute of preserving with buffer memory when the file attribute of file to be scanned, described file to be scanned is defined as to malicious file or non-malicious file, when the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
Described the second scanning element comprises at least one following unit:
Blacklist scanning element, for the filename of preserving in advance in the filename of each file of described other file and described blacklist is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
White list scanning element, for the filename of preserving in advance in the filename of each file of described other file and described white list is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Also comprise:
Storage unit, for according to the scanning result of described the second scanning element and the 3rd scanning element, determines that by described second the file attribute of file and the 3rd definite file deposits in buffer memory.
As can be seen from the above-described embodiment, in the embodiment of the present application, set in advance some virus scan modes, these virus scan modes are to carry out file when scanning shared system resource different, obtain file to be scanned, according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Application the embodiment of the present application is carried out virus scan to file, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present application or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the first embodiment process flow diagram of the method for the application's process computer virus;
Fig. 2 is the second embodiment process flow diagram of the method for the application's process computer virus;
Fig. 3 is the 3rd embodiment process flow diagram of the method for the application's process computer virus;
Fig. 4 is the first embodiment block diagram of the device of the application's process computer virus;
Fig. 5 is the second embodiment block diagram of the device of the application's process computer virus.
Embodiment
The following embodiment of the present invention provides method and the device of process computer virus.In the embodiment of the present application due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource.
In order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and the above-mentioned purpose of the embodiment of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the embodiment of the present invention is described in further detail.
Referring to Fig. 1, be the first embodiment process flow diagram of the method for the application's process computer virus:
Step 101: set in advance some virus scan modes, some virus scan modes are to carry out file when scanning shared system resource different.
Wherein, some virus scan modes are according to occupying system resources order arrangement from small to large, comprise following at least two kinds of modes: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in buffer memory, wherein scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path; By the blacklist preserved in advance and at least one list in white list, carry out the name single scan mode of virus scan; By antivirus engine, carry out the engine scan mode of virus scan.
Step 102: obtain file to be scanned.
Step 103: according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.
Wherein, when some virus scan modes at least comprise the first virus scan mode and the second virus scan mode, and when the system resource that the first virus scan mode takies is less than the second virus scan mode, the first virus scan mode of first calling is treated scanning document and is scanned, obtain the definite file in file to be scanned, the second virus scan mode of then calling is only treated other file except determining file in scanning document and is scanned.Wherein, determine that file refers to be defined as the file of malicious file or non-malicious file.
Concrete, when simultaneously, adopt internal memory scan mode, when name single scan mode and engine scan mode are treated scanning document and are scanned, first invoke memory scan mode is treated scanning document and is scanned, the first scanning result that acquisition comprises first definite file, then calling a single scan mode only treats in scanning document except first determines that other file of file scans, the second scanning result that acquisition comprises second definite file, finally calling engine scan mode only scans the residue file except second definite file in other file, the 3rd scanning result that acquisition comprises the 3rd definite file.
Referring to Fig. 2, be the second embodiment process flow diagram of the method for the application's process computer virus, this embodiment describes in detail and adopts three kinds of scan modes to treat the process that scanning document scans:
Step 201: set in advance according to occupying system resources tactic internal memory scan mode, name single scan mode and engine scan mode from small to large.
Wherein, internal memory scan mode refers to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path etc.; Name single scan mode refers to that blacklist by preserving in advance and at least one list in white list carry out virus scan; Engine scan mode refers to be undertaken by antivirus engine the engine scan mode of virus scan.
Step 202: obtain file to be scanned.
Step 203: invoke memory scan mode is treated scanning document and scanned, obtains the first scanning result that comprises first definite file.
Obtain the file attribute information of file to be scanned, such as file size, file modification time and file path etc.In system file attribute record the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to the modification of file.
File attribute information is mated with the file attribute information of preserving in buffer memory, when the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, file to be scanned is defined as to malicious file or non-malicious file, when the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that file to be scanned is defined as scanning by name single scan mode.Because file attribute information comprises much information, therefore when mating, can to each attribute information, mate one by one according to preset order, for example, first matching files size, next matching files modification time, last matching files path etc.Wherein, when all properties information of a certain file is all consistent with the file attribute information of preserving in buffer memory, the file attribute of just determining this document mates with the file attribute of preserving in buffer memory, when the file attribute information preserved is inconsistent, determine that the file attribute of this document does not mate with the file attribute of preserving in buffer memory in any one attribute information of a certain file and buffer memory.
Because internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, the definite file in the first scanning result therefore obtaining by coupling is according to last time scanning the file set that has been defined as malicious file and non-malicious file.Because memory information reading speed is fast, and the variation that in the twice sweep process of front and back, virus document occurs is little, therefore by internal memory scan mode, can carry out killing to the most of file in system, has therefore promoted killing speed, has saved system resource.
Step 204: call a single scan mode and only treat in scanning document except first determines that other file of file scans, and obtains the second scanning result that comprises second definite file.
While scanning by the blacklist of preserving in advance, the filename of preserving in advance in the filename of each file in other file and blacklist is compared, when the filename of certain file mates with the filename of preserving in advance, determine that certain file is the malicious file that belongs to second definite file; While scanning by the white list of preserving in advance, the filename of preserving in advance in the filename of each file in other file and white list is compared, when the filename of certain file mates with the filename of preserving in advance, determine that certain file is the non-malicious file that belongs to second definite file.
Wherein, white list safeguarded in client by user conventionally, and user joins the file that is defined as non-malice in white list and preserves, the information such as filename that can log file in white list and file path; Blacklist is safeguarded by antivirus software provider conventionally, according to monitoring, definite malicious file is joined in blacklist and is preserved.
Step 205: call engine scan mode and only the residue file except second definite file in other file is scanned, obtain the 3rd scanning result that comprises the 3rd definite file.
While adopting engine scan mode to scan residue file, the antivirus engine that can adopt can comprise: cloud killing engine, QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, little red umbrella antivirus engine etc. are existing already present antivirus engine arbitrarily.
Step 206: according to the scanning result of file to be scanned, determine that by second file attribute of file and the 3rd definite file deposits in buffer memory.
In this scanning process, definite file in the scanning result obtaining with engine scan mode by name single scan mode is different from definite file of preserving in buffer memory, therefore in order further to improve virus scan speed next time, second definite file and the 3rd is determined to the file attribute of file, comprise that file size, file modification time and file path etc. are recorded in buffer memory, can directly scan by the minimum internal memory scan mode of occupying system resources these files next time.
Referring to Fig. 3, be the 3rd embodiment process flow diagram of the method for the application's process computer virus, this embodiment shows in detail by internal memory scan mode and treats the process that scanning document scans:
Step 301: preserve in advance the scanning result of scanning document in buffer memory, this scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and file attribute information comprises file size, file modification time and file path.
Step 302: order is obtained a file in file to be scanned.
Step 303: the file size, file modification time and the file path that obtain this document.
In system the file attribute record of file the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to the modification of file.
Step 304: whether the file size that judges this document mates with the file size of preserving in advance, if so, performs step 305, otherwise, execution step 309.
Step 305: the file modification time that judges this document whether with the file modification time match of preserving in advance, if so, perform step 306; Otherwise, execution step 309.
Step 306: whether the file path that judges this document mates with the file path of preserving in advance, if so, performs step 307; Otherwise, execution step 309.
Step 307: this document is defined as to malicious file or non-malicious file according to matching result.
When all properties information of a certain file is all consistent with the file attribute information of preserving in buffer memory, the file attribute of just determining this document mates with the file attribute of preserving in buffer memory, if the file that the file attribute information now matching in internal memory is corresponding is malicious file, the scanning result of this document is malicious file, if the file that the file attribute information mating in internal memory is corresponding is non-malicious file, the scanning result of this document is non-malicious file.
Because internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory, the definite file in the first scanning result therefore obtaining by coupling is according to last time scanning the file set that has been defined as malicious file and non-malicious file.Because memory information reading speed is fast, and the variation that in the twice sweep process of front and back, virus document occurs is little, therefore by internal memory scan mode, can carry out killing to the most of file in system, has therefore promoted killing speed, has saved system resource.
Step 308: this document is defined as to the file that need to scan by other scan mode.
When the file attribute information preserved is inconsistent, determine that the file attribute of this document does not mate with the file attribute of preserving in buffer memory in any one attribute information of a certain file and buffer memory.Now, illustrate that this document is for scanning by other scan mode except internal memory scan mode, for example, by the name single scan mode shown in previous embodiment, and/or engine scan mode.
Step 309: whether mated all files to be scanned, if so, process ends, otherwise, return to step 302.
From above-mentioned the embodiment of the present application, when file is carried out to virus scan, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Corresponding with the embodiment of the method for the application's process computer virus, the application also provides the embodiment of the device of process computer virus.
Referring to Fig. 4, be the first embodiment block diagram of the device of the application's process computer virus:
This device comprises: setting unit 410, acquiring unit 420 and scanning element 430.
Wherein, setting unit 410, for setting in advance some virus scan modes, described some virus scan modes are to carry out file when scanning shared system resource different;
Acquiring unit 420, for obtaining file to be scanned;
Scanning element 430, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned.
Wherein, the some virus scan modes that arrange in described setting unit 410 at least comprise the first virus scan mode and the second virus scan mode, and the system resource that described the first virus scan mode takies is less than described the second virus scan mode;
Described scanning element 430 can specifically comprise (not shown in Fig. 4):
First calls scanning element, for calling described the first virus scan mode, described file to be scanned is scanned, and obtains the definite file in described file to be scanned;
Second calls scanning element, and for calling described the second virus scan mode, only to described file to be scanned, other file except described definite file scans, and obtains the second scanning result.
Referring to Fig. 5, be the second embodiment block diagram of the device of the application's process computer virus:
This device comprises: setting unit 510, acquiring unit 520, scanning element 530 and storage unit 540.
Wherein, setting unit 510, for setting in advance some virus scan modes, described some virus scan modes are to carry out file when scanning shared system resource different; Wherein, some virus scan modes of described setting unit setting are sequentially arranged from little arrival according to occupying system resources, comprise following at least two kinds of modes: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in buffer memory, described scanning result comprises the file attribute that is defined as malicious file or non-malicious file, and described file attribute comprises file size, file modification time and file path; By the blacklist preserved in advance and at least one list in white list, carry out the name single scan mode of virus scan; By few degree engine, carry out the engine scan mode of virus scan;
Acquiring unit 520, for obtaining file to be scanned;
Scanning element 530, for the order from little arrival according to described some virus scan mode occupying system resources, calls corresponding virus scan mode described file to be scanned is scanned; This scanning element 530 can comprise: the first scanning element 531, for calling described internal memory scan mode, described file to be scanned is scanned, and obtain the first scanning result that comprises first definite file; The second scanning element 532, for calling described name single scan mode, only to described file to be scanned, other file except described first definite file scans, and obtains the second scanning result that comprises second definite file; The 3rd scanning element 533, for calling described engine scan mode, only to described other file, the residue file except described second definite file scans, and obtains the 3rd scanning result that comprises the 3rd definite file;
Storage unit 540, for according to the scanning result of described the second scanning element and the 3rd scanning element, determines that by described second the file attribute of file and the 3rd definite file deposits in buffer memory.
Concrete, the first scanning element 531 can comprise (not shown in Fig. 5):
Information acquisition unit, for obtaining the file attribute information of file to be scanned;
Information matches unit, mates for the file attribute information that described file attribute information is preserved with buffer memory;
Result determining unit, while mating for the file attribute of preserving with buffer memory when the file attribute of file to be scanned, described file to be scanned is defined as to malicious file or non-malicious file, when the file attribute of file to be scanned does not mate with the file attribute of preserving in buffer memory, other file that described file to be scanned is defined as scanning by name single scan mode.
Concrete, the second scanning element 532 can comprise (not shown in Fig. 5):
Blacklist scanning element, for the filename of preserving in advance in the filename of each file of described other file and described blacklist is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the malicious file that belongs to described second definite file;
White list scanning element, for the filename of preserving in advance in the filename of each file of described other file and described white list is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is the non-malicious file that belongs to described second definite file.
Known by the description to above embodiment, in the embodiment of the present application, set in advance some virus scan modes, these virus scan modes are to carry out file when scanning shared system resource different, obtain file to be scanned, according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Application the embodiment of the present application is carried out virus scan to file, due to according to the corresponding virus scan mode of occupying system resources sequence call from small to large, therefore can first pass through the less virus scan mode of occupying system resources, for example internal memory scan mode scans file, thereby reduce the quantity of documents of the required scanning of virus scan mode that occupying system resources is larger, improve thus the virus scan speed of system, save system resource; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of front single pass, while therefore again scanning, can determine by internal memory scan mode the scanning result of most of file, thereby further promote sweep velocity.
Those skilled in the art can be well understood to the mode that technology in the embodiment of the present invention can add essential general hardware platform by software and realize.Understanding based on such, the part that technical scheme in the embodiment of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, or the network equipment etc.) carry out the method described in some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, between each embodiment identical similar part mutually referring to, each embodiment stresses is the difference with other embodiment.Especially, for system embodiment, because it is substantially similar in appearance to embodiment of the method, so description is fairly simple, relevant part is referring to the part explanation of embodiment of the method.
Above-described embodiment of the present invention, does not form limiting the scope of the present invention.Any modification of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.
Claims (16)
1. a computer virus scan method, it comprises:
Obtain file to be scanned;
Adopt internal memory scan mode to scan and obtain the definite file in file to be described, to described file to be scanned, wherein, described internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory;
Adopt a name single scan mode to scan other file except described definite file in described file to be scanned, wherein, described single scan mode is that blacklist by preserving in advance and at least one list in white list carry out virus scan.
2. method according to claim 1, also comprises:
Adopt engine scan mode to after the scanning of name single scan mode also undetermined file scan, wherein, engine scan mode is to carry out virus scan by antivirus engine.
3. method according to claim 1 and 2, wherein, described scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, described file attribute information comprises file size, file modification time and file path.
4. according to the method in any one of claims 1 to 3, wherein, adopt definite file that internal memory scan mode scans and obtains in file to be described, described file to be scanned to comprise:
Obtain the file attribute information of file to be scanned;
Described file attribute information is mated with the file attribute information of preserving in buffer memory;
When the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, it is definite file of malicious file or non-malicious file that described file to be scanned is defined as.
5. according to the method described in any one in claim 1 to 4, wherein, adopt name single scan mode that other file except described definite file in described file to be scanned is scanned and comprised:
The filename of preserving in advance in the filename of each file in described other file and described blacklist is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is malicious file; And/or
The filename of preserving in advance in the filename of each file in described other file and described white list is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is non-malicious file.
6. according to the method described in any one in claim 1 to 5, also comprise:
According to the scanning result of file to be scanned, the file attribute that is defined as the file to be scanned of malicious file or non-malicious file is deposited in buffer memory.
7. a computer virus scan method, it comprises:
Obtain file to be scanned;
Adopt internal memory scan mode to scan and obtain the definite file in file to be described, to described file to be scanned, wherein, described internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory;
Adopt the scan mode except described internal memory scan mode to scan other file except described definite file in described file to be scanned.
8. method as claimed in claim 7, wherein, the scan mode except described internal memory scan mode comprises a single scan mode and/or engine scan mode, wherein,
Described name single scan mode is that blacklist by preserving in advance and at least one list in white list carry out virus scan;
Described engine scan mode is to carry out virus scan by antivirus engine.
9. according to the method described in claim 7 or 8, wherein, described scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, and described file attribute information comprises file size, file modification time and file path.
10. according to the method described in any one in claim 7 to 9, wherein, adopt definite file that internal memory scan mode scans and obtains in file to be described, described file to be scanned to comprise:
Obtain the file attribute information of file to be scanned;
Described file attribute information is mated with the file attribute information of preserving in buffer memory;
When the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, it is definite file of malicious file or non-malicious file that described file to be scanned is defined as.
Method in 11. according to Claim 8 to 10 described in any one, wherein, when adopting name single scan mode, adopt the scan mode except described internal memory scan mode that other file except described definite file in described file to be scanned is scanned and comprised:
The filename of preserving in advance in the filename of each file in described other file and described blacklist is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is malicious file; And/or
The filename of preserving in advance in the filename of each file in described other file and described white list is compared, when the filename of certain file mates with the described filename of preserving in advance, determine that described certain file is non-malicious file.
12. according to the method described in any one in claim 7 to 11, also comprises:
According to the scanning result of file to be scanned, the file attribute that is defined as the file to be scanned of malicious file or non-malicious file is deposited in buffer memory.
13. 1 kinds of computer virus scan methods, it comprises:
Obtain file to be scanned;
Adopt internal memory scan mode to scan and obtain the definite file in file to be described, to described file to be scanned, wherein, described internal memory scan mode is to carry out virus scan according to the scanning result of the scanning document of preserving in buffer memory;
Adopt engine scan mode to scan other file except described definite file in described file to be scanned, wherein, described engine scan mode is to carry out virus scan by antivirus engine.
14. methods according to claim 13, wherein, described scanning result comprises the file attribute information that is defined as malicious file or non-malicious file, described file attribute information comprises file size, file modification time and file path.
15. according to claim 13 to the method described in any one in 4, wherein, adopts definite file that internal memory scan mode scans and obtains in file to be described, described file to be scanned to comprise:
Obtain the file attribute information of file to be scanned;
Described file attribute information is mated with the file attribute information of preserving in buffer memory;
When the file attribute of file to be scanned mates with the file attribute of preserving in buffer memory, it is definite file of malicious file or non-malicious file that described file to be scanned is defined as.
16. according to claim 13 to the method described in any one in 15, also comprises:
According to the scanning result of file to be scanned, the file attribute that is defined as the file to be scanned of malicious file or non-malicious file is deposited in buffer memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410268598.2A CN104063663A (en) | 2011-09-19 | 2011-09-19 | Computer virus scan method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410268598.2A CN104063663A (en) | 2011-09-19 | 2011-09-19 | Computer virus scan method |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110277746.3A Division CN102346827B (en) | 2011-09-19 | 2011-09-19 | Method and device for handling computer viruses |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104063663A true CN104063663A (en) | 2014-09-24 |
Family
ID=51551371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410268598.2A Pending CN104063663A (en) | 2011-09-19 | 2011-09-19 | Computer virus scan method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104063663A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021135940A1 (en) * | 2019-12-31 | 2021-07-08 | 深信服科技股份有限公司 | Malicious file repairing method and apparatus, electronic device, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090083852A1 (en) * | 2007-09-26 | 2009-03-26 | Microsoft Corporation | Whitelist and Blacklist Identification Data |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
| US7979906B2 (en) * | 2007-10-05 | 2011-07-12 | Research In Motion Limited | Method and system for multifaceted scanning |
-
2011
- 2011-09-19 CN CN201410268598.2A patent/CN104063663A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090083852A1 (en) * | 2007-09-26 | 2009-03-26 | Microsoft Corporation | Whitelist and Blacklist Identification Data |
| US7979906B2 (en) * | 2007-10-05 | 2011-07-12 | Research In Motion Limited | Method and system for multifaceted scanning |
| CN101685486A (en) * | 2008-09-23 | 2010-03-31 | 联想(北京)有限公司 | Virus killing method and virus killing system with multiple antivirus engines |
| CN101795267A (en) * | 2009-12-30 | 2010-08-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting viruses and gateway equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021135940A1 (en) * | 2019-12-31 | 2021-07-08 | 深信服科技股份有限公司 | Malicious file repairing method and apparatus, electronic device, and storage medium |
| CN113127865A (en) * | 2019-12-31 | 2021-07-16 | 深信服科技股份有限公司 | Malicious file repairing method and device, electronic equipment and storage medium |
| CN113127865B (en) * | 2019-12-31 | 2023-11-07 | 深信服科技股份有限公司 | Malicious file repairing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102346827B (en) | Method and device for handling computer viruses | |
| CN102279917B (en) | Multi-antivirus engine parallel antivirus method and system | |
| US10165001B2 (en) | Method and device for processing computer viruses | |
| Crussell et al. | Scalable semantics-based detection of similar android applications | |
| KR101693370B1 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| US8839434B2 (en) | Multi-nodal malware analysis | |
| CN103559443B (en) | The virus scan method and apparatus of device for multi-core | |
| Homayoun et al. | A blockchain-based framework for detecting malicious mobile applications in app stores | |
| US8914889B2 (en) | False alarm detection for malware scanning | |
| CN102799811B (en) | Scanning method and device | |
| WO2012027669A1 (en) | Method and system for automatic detection and analysis of malware | |
| AU2011201043A1 (en) | Web site analysis system and method | |
| CN104573515A (en) | Virus processing method, device and system | |
| CN102208002B (en) | Novel computer virus scanning and killing device | |
| US10887261B2 (en) | Dynamic attachment delivery in emails for advanced malicious content filtering | |
| US20120330863A1 (en) | System and Method for Sharing Malware Analysis Results | |
| US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
| EP2998902B1 (en) | Method and apparatus for processing file | |
| CN113411314B (en) | Method and device for attracting attacker to access honeypot system and electronic device | |
| Mansoori et al. | YALIH, yet another low interaction honeyclient | |
| CN102314571B (en) | Method and device for processing computer viruses | |
| CN104063662A (en) | Method and device for processing computer virus | |
| CN104063663A (en) | Computer virus scan method | |
| US20230306114A1 (en) | Method and system for automatically generating malware signature |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140924 |