CN104239795B - The scan method and device of file - Google Patents

The scan method and device of file Download PDF

Info

Publication number
CN104239795B
CN104239795B CN201410472180.3A CN201410472180A CN104239795B CN 104239795 B CN104239795 B CN 104239795B CN 201410472180 A CN201410472180 A CN 201410472180A CN 104239795 B CN104239795 B CN 104239795B
Authority
CN
China
Prior art keywords
file
characteristic
size
recognition result
apocrypha
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410472180.3A
Other languages
Chinese (zh)
Other versions
CN104239795A (en
Inventor
郭明强
汪俊文
曹亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201410472180.3A priority Critical patent/CN104239795B/en
Publication of CN104239795A publication Critical patent/CN104239795A/en
Application granted granted Critical
Publication of CN104239795B publication Critical patent/CN104239795B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the present invention provides a kind of scan method and device of file.The embodiment of the present invention is by obtaining file to be scanned, at least one of and then in the size of the file and the characteristic of the file, the file is identified, to obtain recognition result, the recognition result is trusted file including the file, the file is insincere file or the file is unknown file, make it possible to according to the recognition result, virus scan processing is carried out to the unknown file, due to only needing to carry out virus scan processing to unknown file, it is not that virus scan processing is all carried out to any file, it can avoid in the prior art due to the more system resource of occupied terminal caused by carrying out virus scan processing to each file the problem of, so as to improve the process performance of terminal.

Description

The scan method and device of file
【Technical field】
The present invention relates to the scan method and device of computer technology, more particularly to a kind of file.
【Background technology】
Virus is the data for the destruction termination function worked out or inserted in the application, and it can influence application program Normal use and can self-replacation, generally in the form of one group of instruction or program code present.Virus has destructiveness, Replicability and communicable feature.Terminal can carry out virus scan processing using the file that antivirus engine is stored to terminal, Even if to find virus document, corresponding defence processing is carried out.
However, by the quantity of documents stored in terminal is more, virus scan processing is carried out to each file, can be taken The more system resource of terminal, so as to result in the reduction of the process performance of terminal.
【The content of the invention】
The many aspects of the present invention provide a kind of scan method and device of file, to improve the process performance of terminal.
An aspect of of the present present invention, there is provided a kind of scan method of file, including:
Obtain file to be scanned;
At least one of in the size of the file and the characteristic of the file, the file is known Not, to obtain recognition result;The recognition result including the file is trusted file, the file is insincere file or institute It is unknown file to state file;
According to the recognition result, virus scan processing is carried out to the unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot After fruit, in addition to:
According to the recognition result, the trusted file is carried out to skip processing.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot After fruit, in addition to:
According to the recognition result, alarming processing is carried out to the insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the file bag Include executable file or non-executable file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot Fruit, including:
Obtain the size of the file;
If the match is successful for the size of the file and the size of apocrypha, the specified portions content of the file is obtained Characteristic, the apocrypha include at least one in trusted file and/or insincere file;
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching success, obtain the characteristic of the full content of the file;
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha Success, obtains the recognition result that the file is trusted file or the file is insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot Fruit, in addition to:
If it fails to match for the size of the file and the size of apocrypha, the identification that the file is unknown file is obtained As a result;Or
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching fails, and obtains the recognition result that the file is unknown file;Or
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha Failure, obtain the recognition result that the file is unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot Before fruit, in addition to:
According to the mistake warning information of any file, using any file as the trusted file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, if described The match is successful for the size of file and the size of apocrypha, obtains the characteristic of the specified portions content of the file, including:
If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the text is obtained The characteristic of the M byte of beginning of part, M are the integer more than or equal to 1.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, if described The match is successful for the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, obtains The characteristic of the full content of the file is taken, including:
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching success, using the second hash algorithm, obtain the characteristic of the full content of the file.
Another aspect of the present invention, there is provided a kind of scanning means of file, including:
Acquiring unit, for obtaining file to be scanned;
Recognition unit, at least one in the size according to the file and the characteristic of the file, to institute State file to be identified, to obtain recognition result;The recognition result is trusted file, the file for not including the file Trusted file or the file are unknown file;
Scanning element, for according to the recognition result, virus scan processing to be carried out to the unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the scanning are single Member, it is additionally operable to
According to the recognition result, the trusted file is carried out to skip processing.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the scanning are single Member, it is additionally operable to
According to the recognition result, alarming processing is carried out to the insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the file bag Include executable file or non-executable file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single Member, it is specifically used for
Obtain the size of the file;
If the match is successful for the size of the file and the size of apocrypha, the specified portions content of the file is obtained Characteristic, the apocrypha include at least one in trusted file and/or insincere file;
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching success, obtain the characteristic of the full content of the file;
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha Success, obtains the recognition result that the file is trusted file or the file is insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single Member, it is additionally operable to
If it fails to match for the size of the file and the size of apocrypha, the identification that the file is unknown file is obtained As a result;Or
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching fails, and obtains the recognition result that the file is unknown file;Or
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha Failure, obtain the recognition result that the file is unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single Member, it is additionally operable to
According to the mistake warning information of any file, using any file as the trusted file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single Member, it is specifically used for
If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the text is obtained The characteristic of the M byte of beginning of part, M are the integer more than or equal to 1.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single Member, it is specifically used for
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha Data Matching success, using the second hash algorithm, obtain the characteristic of the full content of the file.
As shown from the above technical solution, the embodiment of the present invention is by obtaining file to be scanned, and then according to the file Size and the file characteristic at least one of, the file is identified, it is described to obtain recognition result Recognition result including the file is trusted file, the file is insincere file or the file is unknown file so that Virus scan processing can be carried out, due to only needing that unknown file is carried out to the unknown file according to the recognition result Virus scan is handled, and is not all to carry out virus scan processing to any file, can be avoided in the prior art due to each File carries out the problem of more system resource of occupied terminal caused by virus scan processing, so as to improve the processing of terminal Performance.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file The reliability of poison identification.
【Brief description of the drawings】
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be the present invention some realities Example is applied, for those of ordinary skill in the art, without having to pay creative labor, can also be attached according to these Figure obtains other accompanying drawings.
Fig. 1 is the schematic flow sheet of the scan method for the file that one embodiment of the invention provides;
Fig. 2 is the structural representation of the scanning means for the file that another embodiment of the present invention provides.
【Embodiment】
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
It should be noted that terminal involved in the embodiment of the present invention can include but is not limited to mobile phone, individual digital Assistant (Personal Digital Assistant, PDA), wireless handheld device, wireless networking sheet, PC, portable electricity Brain, MP3 player, MP4 players etc..
In addition, the terms "and/or", only a kind of incidence relation for describing affiliated partner, represents there may be Three kinds of relations, for example, A and/or B, can be represented:Individualism A, while A and B be present, these three situations of individualism B.Separately Outside, character "/" herein, it is a kind of relation of "or" to typically represent forward-backward correlation object.
Fig. 1 is the schematic flow sheet of the scan method for the file that one embodiment of the invention provides, as shown in Figure 1.
101st, file to be scanned is obtained.
102nd, at least one in the size of the file and the characteristic of the file, the file is carried out Identification, to obtain recognition result;The recognition result including the file is trusted file, the file be insincere file or The file is unknown file.
Wherein, the trusted file, refer to have been able to be confirmed to be no virus document;The insincere file, it is Finger has been able to be confirmed to be virus document;The unknown file, refer to neither be confirmed to be no virus document, and not Virus document can be confirmed to be.
So-called virus document, refer to the file for including virus.
103rd, according to the recognition result, virus scan processing is carried out to the unknown file.
So, by carrying out virus scan processing to unknown file, then scanning result can be obtained, and then according to the scanning As a result the virus defense processing of correlation is carried out, for example, the alarming processing carried out to being identified as virus document, or, for another example Clearance processing carried out to being identified as no virus document etc., the present embodiment is to this without being particularly limited to
It is understood that in 103, the unknown file of virus scan processing is carried out, is exactly that the file is not Know the file corresponding to this recognition result of file.
Wherein, virus, also known as computer virus, can include but is not limited to wooden horse, back door, LAN worm, mail Worm, spyware, infection type virus or Rootkits/Bootkits.
It should be noted that 101~103 executive agent can be antivirus engine, in the client that can be located locally, To carry out off-line operation to remove virus, or it may be located in the server of network side, to carry out on-line operation to remove Virus, the present embodiment is to this without limiting.
It is understood that the client can be mounted in the local program (nativeApp) in terminal, or also Can be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, to provide Safety system environments objective reality form can, the present embodiment to this without limit.
So, by obtaining file to be scanned, and then according to the size of the file and the characteristic of the file At least one of in, the file is identified, to obtain recognition result, it is credible that the recognition result, which includes the file, File, the file are insincere file or the file is unknown file, enabling according to the recognition result, to described Unknown file carries out virus scan processing, is not to any text due to only needing to carry out virus scan processing to unknown file Part all carries out virus scan processing, can avoid in the prior art caused by carrying out virus scan processing to each file The problem of occupied terminal more system resource, so as to improve the process performance of terminal.
Alternatively, in a possible implementation of the present embodiment, in 101, the file to be scanned, refer to According to scanning range, a file in the file stored in the storage device of identified terminal.Specifically, it is described to wait to sweep The file retouched, in all files that the storage device being specifically as follows in terminal is stored, according to certain scanning sequency successively The file of acquisition, or can also be in all files that are stored under the specified path of the storage device of terminal, according to one The file that fixed scanning sequency obtains successively, the present embodiment is to this without being particularly limited to.
During a concrete implementation, the storage device of the terminal can be specifically as follows with slow storage device The hard disk of computer system, or can also be physical memory for the inoperative internal memory of mobile phone, for example, read-only storage (Read- Only Memory, ROM) and RAM card etc., the present embodiment is to this without being particularly limited to.
During another concrete implementation, the storage device of the terminal can also be speedy storage equipment, specifically It can be the internal memory of computer system, or can also be Installed System Memory for the running memory of mobile phone, for example, random access memory (Random Access Memory, RAM) etc., the present embodiment is to this without being particularly limited to.
Wherein, the storage device of the terminal can be hard disk, or can also be physics for the inoperative internal memory of mobile phone Internal memory, for example, read-only storage (Read-Only Memory, ROM) and RAM card etc., the present embodiment is to this without especially limit It is fixed.
Alternatively, in a possible implementation of the present embodiment, the file can be executable file (executable file).Specifically, executable file, it is the file that portable can perform (PE) file format, it can add It is downloaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but is not limited to .exe, .sys and .scr, etc..
Alternatively, in a possible implementation of the present embodiment, the file can be non-executable file.Tool Body, non-executable file, it is the alternative document in addition to executable file.
Alternatively,, can also be further according to institute after 102 in a possible implementation of the present embodiment Recognition result is stated, the trusted file is carried out to skip processing.
It is exactly that the file is trusted file it is understood that herein, skip the trusted file of processing File corresponding to this recognition result.Due to having been able to confirm that this document is no virus document, it is therefore not necessary to again to this A little trusted files carry out virus scan processing, directly carry out skipping processing, continue executing with 101, next wait to sweep to obtain The file retouched.So, due to only needing to carry out virus scan processing to unknown file so that no longer carry out virus to trusted file Scan process, but directly carry out skipping processing, the efficiency of virus identification can be effectively improved.
Alternatively,, can also be further according to institute after 102 in a possible implementation of the present embodiment Recognition result is stated, alarming processing is carried out to the insincere file.
It is exactly that the file is insincere it is understood that herein, carrying out the insincere file of alarming processing File corresponding to this recognition result of file.Due to having been able to confirm that this document is virus document, it is therefore not necessary to again to this A little trusted files carry out virus scan processing, directly progress alarming processing, continue executing with 101, next wait to sweep to obtain The file retouched.So, due to only needing to carry out virus scan processing to unknown file so that no longer carry out disease to insincere file Malicious scan process, but alarming processing is directly performed, the efficiency of virus identification can be effectively improved.
Alternatively, in a possible implementation of the present embodiment, in 102, the file can specifically be obtained Size.If the match is successful for the size of the file and the size of apocrypha, the finger of the file can be further obtained Determine the characteristic of partial content, the apocrypha includes at least one in trusted file and/or insincere file.If institute Stating the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, the match is successful, It then can further obtain the characteristic of the full content of the file.If the characteristic of the full content of the file with The match is successful for the characteristic of the full content of the apocrypha, then can further obtain the file for trusted file or The file is the recognition result of insincere file.
During a concrete implementation, the characteristic of the specified portions content of the file, and the file Full content characteristic, be specifically as follows static nature, so-called static nature, it can be understood as based on the text being not carried out Part is as basis of characterization, or can also be behavioral characteristics, so-called behavioral characteristics, it can be understood as the file conduct based on execution Basis of characterization, the present embodiment is to this without being particularly limited to.
Specifically, the first hash algorithm can be specifically utilized, for example, (the Cyclical of CRC 32 Redundancy Check, CRC32) algorithm, Adler32 or Message Digest 5 fourth edition (Message Digest Algorithm4, MD4) scheduling algorithm, the characteristic of the M byte of beginning of the file is obtained, M is whole more than or equal to 1 Number.
Specifically, the second hash algorithm can be specifically utilized, for example, Message Digest Algorithm 5 (Message Digest Algorithm5, MD5) or SHA 256 (Secure Hash Algorithm, SHA256) scheduling algorithm, Obtain the characteristic of the full content of the file.
Further, if it fails to match for the size of the file and the size of apocrypha, it is unknown to obtain the file The recognition result of file.
Further, if in the characteristic of the specified portions content of the file and the specified portions of the apocrypha It fails to match for the characteristic of appearance, obtains the recognition result that the file is unknown file.
Further, if the characteristic of the full content of the file and the feature of the full content of the apocrypha Data Matching fails, and obtains the recognition result that the file is unknown file.
During a concrete implementation, according to some known trusted files and/or insincere file, one is established Database.Some existing file recognition algorithms can specifically be utilized for example, characteristic matching etc., by some files, identifying can Message part or insincere file, the present embodiment is to this without being particularly limited to.It can specifically include but is not limited in the database Following content:
The type of file;
The size of file;
The characteristic of the specified portions content of file;And
The characteristic of the full content of file.
The type of the file, to indicate that file is trusted file or insincere file, it can generally be represented with 32. Wherein, trusted file, refer to have been able to be confirmed to be no virus document;Insincere file, refer to have been able to be identified For virus document.For example, 0 instruction file is trusted file, 1 instruction file is insincere file, or, for another example 1 instruction text Part is trusted file, and 0 instruction file is insincere file, and the present embodiment is to this without being particularly limited to.
It should be noted that specifically can be according to the difference of the type of file, by corresponding to the file with same type Data, form the list of a same kind file, for example, the white list that is formed as the data corresponding to trusted file or The blacklist formed as the data corresponding to insincere file.
The size of the file, to indicate the actual byte number having of the content of file, its value specifically can basis The maximum limitation of the size of file, sets the digit of different length to represent, can generally be represented with 32.
The characteristic of the specified portions content of the file, the specified portions content of a file can be reflected The characteristics of different from other files, its value according to the type of the first hash algorithm, can specifically set the digit of different length To represent, 32 cryptographic Hash for representing that CRC32 algorithms are calculated can be generally used.
In general, specifically can be fixed in advance according to the digital independent order of file, and the digital independent unit of file The justice specified portions content.For example, if the digital independent unit of file is cluster, the default size of cluster is 4K bytes, then, The specified portions content of the file can then be defined as the beginning 4K bytes of file.
The characteristic of the full content of the file, can reflect that the full content of a file is different from it The characteristics of its file, it can specifically be set as the unique mark of file, its value according to the type of the second hash algorithm The digit of different length represents, can generally use 128 cryptographic Hash for representing that MD5 calculated.
Further, if the type of file is insincere file, also need to further comprise viral name in the database Claim information, for example, Virus Name length and Virus Name.
During another concrete implementation, the size of acquired file can be specifically utilized, it is specific at upper one Implementation process in the database established, carry out first time matching, with determine the size of the file whether with the number According to the size of file included in storehouse, the match is successful.
If the match is successful, the characteristic of the specified portions content of acquired file can be further utilized, In the database, carry out second and match, with determine the characteristic of the specified portions content of the file whether with it is described The match is successful for the characteristic of the specified portions content of included file in database.If without the match is successful, institute is obtained State the recognition result that file is unknown file.
If the match is successful, the characteristic of the full content of acquired file can be further utilized, described In database, carry out third time matching, with determine the characteristic of the full content of the file whether with the database The characteristic of the full content of included file.If without the match is successful, the knowledge that the file is unknown file is obtained Other result.
If the match is successful, can by the file that the match is successful file type, as the file to be scanned Recognition result, i.e., described file is trusted file or the file is insincere file.If without the match is successful, institute is obtained State the recognition result that file is unknown file.
It is understood that so-called, the match is successful, can be specifically defined according to the demand of matching.Specifically, may be used Think that data to be matched are completely the same, i.e. matching or accurate matching completely, or can also be data basic one to be matched Cause, i.e. Incomplete matching or fuzzy matching, the present embodiment is to this without being particularly limited to.
Due to some reasons, for example, the logic of virus scan processing goes wrong, or, for another example the volume of file itself Problem, etc. is translated, can not be the file of virus document by some, be erroneously identified as virus document, and then this document is entered Row alarming processing.That is, warning information caused by the alarming processing carried out to this file, is a wrong announcement Alert information misses warning information.So-called warning information by mistake can be specifically gathered by number of ways, for example, operating personnel are accusing Manually investigated in alert record, or, for another example active feedback of user, etc..For such case, in the present embodiment A possible implementation in, before 102, can also further according to the mistake warning information of any file, will described in Any file is as the trusted file.
So, by the mistake warning information according to any file, using any file as the trusted file, to keep away Exempt from subsequently to continue to carry out alarming processing to any file, the reliability of virus identification can be effectively improved.
In the present embodiment, by obtaining file to be scanned, and then according to the size of the file and the spy of the file At least one in data is levied, the file is identified, to obtain recognition result, the recognition result includes the file For trusted file, the file be insincere file or the file is unknown file, enabling according to the recognition result, Virus scan processing is carried out to the unknown file, is not pair due to only needing to carry out virus scan processing to unknown file Any file all carries out virus scan processing, can avoid in the prior art due to each file carry out virus scan processing and The problem of caused occupied terminal more system resource, so as to improve the process performance of terminal.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file The reliability of poison identification.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because According to the present invention, some steps can use other orders or carry out simultaneously.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
Fig. 2 is the structural representation of the scanning means for the file that another embodiment of the present invention provides, as shown in Figure 2.This reality Acquiring unit 21, recognition unit 22 and scanning element 23 can be included by applying the scanning means of the file of example.Wherein, acquiring unit 21, for obtaining file to be scanned;Recognition unit 22, for the size according to the file and the characteristic of the file At least one of in, the file is identified, to obtain recognition result;It is credible that the recognition result, which includes the file, File, the file are insincere file or the file is unknown file;Scanning element 23, for being tied according to the identification Fruit, virus scan processing is carried out to the unknown file.
Wherein, the trusted file, refer to have been able to be confirmed to be no virus document;The insincere file, it is Finger has been able to be confirmed to be virus document;The unknown file, refer to neither be confirmed to be no virus document, and not Virus document can be confirmed to be.
It should be noted that the scanning means that the present embodiment is provided can be antivirus engine, the visitor that can be located locally In the end of family, to carry out off-line operation to remove virus, or it may be located in the server of network side, to carry out on-line operation To remove virus, the present embodiment is to this without limiting.
It is understood that the client can be mounted in the local program (nativeApp) in terminal, or also Can be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, to provide Safety system environments objective reality form can, the present embodiment to this without limit.
Alternatively, in a possible implementation of the present embodiment, the scanning element 23, can also further use According to the recognition result, the trusted file is carried out to skip processing.
Alternatively, in a possible implementation of the present embodiment, the scanning element 23, can also further use According to the recognition result, alarming processing is carried out to the insincere file.
Alternatively, in a possible implementation of the present embodiment, the file can be executable file (executable file).Specifically, executable file, it is the file that portable can perform (PE) file format, it can add It is downloaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but is not limited to .exe, .sys and .scr, etc..
Alternatively, in a possible implementation of the present embodiment, the file can be non-executable file.Tool Body, non-executable file, it is the alternative document in addition to executable file.
Alternatively, in a possible implementation of the present embodiment, the recognition unit 22, specifically can be used for obtaining Take the size of the file;If the match is successful for the size of the file and the size of apocrypha, specifying for the file is obtained The characteristic of partial content, the apocrypha include at least one in trusted file and/or insincere file;It is if described The match is successful for the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, obtains Take the characteristic of the full content of the file;If the characteristic of the full content of the file and the apocrypha The match is successful for the characteristic of full content, obtains the identification that the file is trusted file or the file is insincere file As a result.
During a concrete implementation, the characteristic of the specified portions content of the file, and the file Full content characteristic, be specifically as follows static nature.So-called static nature, it can be understood as the spy based on file Levy basis of characterization of the code as file.
Specifically, the recognition unit 22, if specifically can be used for the size of the file and the size of apocrypha With success, using the first hash algorithm, for example, CRC 32 (Cyclical Redundancy Check, CRC32) algorithm, Adler32 or Message Digest 5 fourth edition (Message Digest Algorithm4, MD4) etc., obtain The characteristic of the M byte of beginning of the file, M are the integer more than or equal to 1.
Specifically, the recognition unit 22, if specifically can be used for the characteristic of the specified portions content of the file The match is successful with the characteristic of the specified portions content of the apocrypha, using the second hash algorithm, for example, eap-message digest Algorithm the 5th edition (Message Digest Algorithm5, MD5) or (the Secure Hash of SHA 256 Algorithm, SHA256) etc., obtain the characteristic of the full content of the file.
Further, the recognition unit 22, if the size and apocrypha of the file can also be further used for It fails to match for size, obtains the recognition result that the file is unknown file.
Further, the recognition unit 22, if the spy of the specified portions content of the file can also be further used for It fails to match for the characteristic of sign data and the specified portions content of the apocrypha, obtains the file as unknown file Recognition result.
Further, the recognition unit 22, if the characteristic of the full content of the file can also be further used for According to the characteristic of the full content with the apocrypha, it fails to match, obtains the identification knot that the file is unknown file Fruit.
Due to some reasons, for example, the logic of virus scan processing goes wrong, or, for another example the volume of file itself Problem, etc. is translated, some can not had virus document, is erroneously identified as virus document, and then this document is alerted Processing.That is, warning information caused by the alarming processing carried out to this file, is a wrong warning information Miss warning information.For such case, in a possible implementation of the present embodiment, the recognition unit 22, go back The mistake warning information according to any file can be further used for, using any file as the trusted file.
It should be noted that method in embodiment corresponding to Fig. 1, the scanning means for the file that can be provided by the present embodiment Realize.The related content that may refer in embodiment corresponding to Fig. 1 is described in detail, here is omitted.
In the present embodiment, file to be scanned is obtained by acquiring unit, and then by recognition unit according to the file At least one of in size and the characteristic of the file, the file is identified, to obtain recognition result, the knowledge Other result including the file is trusted file, the file is insincere file or the file is unknown file so that is swept Virus scan processing can be carried out, due to only needing to unknown text according to the recognition result to the unknown file by retouching unit Part carry out virus scan processing, be not that virus scan processing is all carried out to any file, can avoid in the prior art due to The problem of more system resource of occupied terminal caused by virus scan processing is carried out to each file, so as to improve terminal Process performance.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file The reliability of poison identification.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of equipment and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided by the present invention, it should be understood that disclosed system, apparatus and method can be with Realize by another way.For example, apparatus embodiments described above are only schematical, for example, the unit Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, equipment or unit Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in one and computer-readable deposit In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are causing a computer It is each that equipment (can be personal computer, server, or network equipment etc.) or processor (processor) perform the present invention The part steps of embodiment methods described.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read- Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. it is various Can be with the medium of store program codes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic; And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (16)

  1. A kind of 1. scan method of file, it is characterised in that including:
    Obtain file to be scanned;
    At least one of in the size of the file and the characteristic of the file, the file is identified, with Obtain recognition result;The recognition result including the file is trusted file, the file is insincere file or the text Part is unknown file;
    According to the recognition result, virus scan processing is carried out to the unknown file;
    Wherein, at least one in the size of the file and the characteristic of the file, enters to the file Row identification, to obtain recognition result, including:
    Obtain the size of the file;
    If the match is successful for the size of the file and the size of apocrypha, the feature of the specified portions content of the file is obtained Data, the apocrypha include at least one in trusted file and/or insincere file;
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, obtains the characteristic of the full content of the file;
    If the match is successful for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is trusted file or the file is insincere file.
  2. 2. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, after obtaining recognition result, in addition to:
    According to the recognition result, the trusted file is carried out to skip processing.
  3. 3. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, after obtaining recognition result, in addition to:
    According to the recognition result, alarming processing is carried out to the insincere file.
  4. 4. according to the method for claim 1, it is characterised in that the file includes executable file or non-executable text Part.
  5. 5. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, to obtain recognition result, in addition to:
    If it fails to match for the size of the file and the size of apocrypha, the identification knot that the file is unknown file is obtained Fruit;Or
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha It fails to match, obtains the recognition result that the file is unknown file;Or
    If it fails to match for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is unknown file.
  6. 6. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file Levy in data at least one of, the file is identified, with before obtaining recognition result, in addition to:
    According to the mistake warning information of any file, using any file as the trusted file.
  7. 7. according to the method for claim 1, it is characterised in that if the size of the file and the size of apocrypha The match is successful, obtains the characteristic of the specified portions content of the file, including:
    If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the file is obtained Start the characteristic of M byte, M is the integer more than or equal to 1.
  8. 8. according to the method for claim 1, it is characterised in that if the characteristic of the specified portions content of the file According to the characteristic of the specified portions content with the apocrypha, the match is successful, obtains the feature of the full content of the file Data, including:
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, using the second hash algorithm, obtains the characteristic of the full content of the file.
  9. A kind of 9. scanning means of file, it is characterised in that including:
    Acquiring unit, for obtaining file to be scanned;
    Recognition unit, at least one in the size according to the file and the characteristic of the file, to the text Part is identified, to obtain recognition result;The recognition result including the file is trusted file, the file is insincere File or the file are unknown file;
    Scanning element, for according to the recognition result, virus scan processing to be carried out to the unknown file;
    The recognition unit, is specifically used for
    Obtain the size of the file;
    If the match is successful for the size of the file and the size of apocrypha, the feature of the specified portions content of the file is obtained Data, the apocrypha include at least one in trusted file and/or insincere file;
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, obtains the characteristic of the full content of the file;
    If the match is successful for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is trusted file or the file is insincere file.
  10. 10. device according to claim 9, it is characterised in that the scanning element, be additionally operable to be tied according to the identification Fruit, the trusted file is carried out to skip processing.
  11. 11. device according to claim 9, it is characterised in that the scanning element, be additionally operable to be tied according to the identification Fruit, alarming processing is carried out to the insincere file.
  12. 12. device according to claim 9, it is characterised in that the file includes executable file or non-executable text Part.
  13. 13. device according to claim 9, it is characterised in that the recognition unit, if being additionally operable to the size of the file It fails to match with the size of apocrypha, obtains the recognition result that the file is unknown file;Or
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha It fails to match, obtains the recognition result that the file is unknown file;Or
    If it fails to match for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is unknown file.
  14. 14. device according to claim 9, it is characterised in that the recognition unit, be additionally operable to the mistake according to any file Warning information, using any file as the trusted file.
  15. 15. device according to claim 9, it is characterised in that the recognition unit, be specifically used for
    If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the file is obtained Start the characteristic of M byte, M is the integer more than or equal to 1.
  16. 16. device according to claim 9, it is characterised in that the recognition unit, be specifically used for
    If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, using the second hash algorithm, obtains the characteristic of the full content of the file.
CN201410472180.3A 2014-09-16 2014-09-16 The scan method and device of file Active CN104239795B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410472180.3A CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410472180.3A CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Publications (2)

Publication Number Publication Date
CN104239795A CN104239795A (en) 2014-12-24
CN104239795B true CN104239795B (en) 2017-11-24

Family

ID=52227837

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410472180.3A Active CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Country Status (1)

Country Link
CN (1) CN104239795B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104680066A (en) * 2015-01-26 2015-06-03 安一恒通(北京)科技有限公司 Method and device used for preventing misjudgment of antivirus software
CN105912946A (en) * 2016-04-05 2016-08-31 上海上讯信息技术股份有限公司 Document detection method and device
CN106708555B (en) * 2016-06-29 2019-01-22 腾讯科技(深圳)有限公司 A kind of method and apparatus loading plug-in unit
CN110688658B (en) * 2019-10-09 2021-08-20 杭州安恒信息技术股份有限公司 Unknown virus infection tracing method, device and system
CN111159710A (en) * 2020-04-07 2020-05-15 四川新网银行股份有限公司 Method for regularly scanning computer virus

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1282283A2 (en) * 2001-07-26 2003-02-05 Networks Associates Technology, Inc. Malware scanning using a network bridge
CN102457841A (en) * 2010-10-28 2012-05-16 西门子公司 Method and device for detecting virus
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN102789558A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for analyzing program installation and program operation in mobile device
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system
CN102822839A (en) * 2009-12-31 2012-12-12 迈克菲股份有限公司 Malware detection via reputation system
CN103425928A (en) * 2012-05-17 2013-12-04 富泰华工业(深圳)有限公司 Virus killing system and method for electronic device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7107617B2 (en) * 2001-10-15 2006-09-12 Mcafee, Inc. Malware scanning of compressed computer files

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1282283A2 (en) * 2001-07-26 2003-02-05 Networks Associates Technology, Inc. Malware scanning using a network bridge
CN102822839A (en) * 2009-12-31 2012-12-12 迈克菲股份有限公司 Malware detection via reputation system
CN102457841A (en) * 2010-10-28 2012-05-16 西门子公司 Method and device for detecting virus
CN102789558A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for analyzing program installation and program operation in mobile device
CN103425928A (en) * 2012-05-17 2013-12-04 富泰华工业(深圳)有限公司 Virus killing system and method for electronic device
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system

Also Published As

Publication number Publication date
CN104239795A (en) 2014-12-24

Similar Documents

Publication Publication Date Title
US9576131B2 (en) Malware detection system and method for mobile platforms
CN104239795B (en) The scan method and device of file
US9654486B2 (en) System and method for generating sets of antivirus records for detection of malware on user devices
CN104217165B (en) The processing method of file and device
US10165001B2 (en) Method and device for processing computer viruses
US9015814B1 (en) System and methods for detecting harmful files of different formats
US10339312B2 (en) System and method for detecting malicious compound files
US20130145471A1 (en) Detecting Malware Using Stored Patterns
EP3136276B1 (en) System and method for detecting harmful files executable on a virtual stack machine
US20150186649A1 (en) Function Fingerprinting
CN110417768B (en) Botnet tracking method and device
US20200412740A1 (en) Methods, devices and systems for the detection of obfuscated code in application software files
CN108319853B (en) Virus characteristic code processing method and device
CN103699838B (en) The recognition methods of virus and equipment
CN112580040B (en) Method and device for unshelling file shell, storage medium and electronic device
CN112580038A (en) Anti-virus data processing method, device and equipment
CN104657664B (en) The processing method and equipment of virus
CN104199925B (en) Ile repair method and device
CN112580032B (en) File shell identification method and device, storage medium and electronic device
EP3151148B1 (en) System and method for generating sets of antivirus records for detection of malware on user devices
CN108964882B (en) Method and device for dynamically generating modem login password and modem
CN106934286B (en) Safety diagnosis method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant