CN104239795B - The scan method and device of file - Google Patents
The scan method and device of file Download PDFInfo
- Publication number
- CN104239795B CN104239795B CN201410472180.3A CN201410472180A CN104239795B CN 104239795 B CN104239795 B CN 104239795B CN 201410472180 A CN201410472180 A CN 201410472180A CN 104239795 B CN104239795 B CN 104239795B
- Authority
- CN
- China
- Prior art keywords
- file
- characteristic
- size
- recognition result
- apocrypha
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the present invention provides a kind of scan method and device of file.The embodiment of the present invention is by obtaining file to be scanned, at least one of and then in the size of the file and the characteristic of the file, the file is identified, to obtain recognition result, the recognition result is trusted file including the file, the file is insincere file or the file is unknown file, make it possible to according to the recognition result, virus scan processing is carried out to the unknown file, due to only needing to carry out virus scan processing to unknown file, it is not that virus scan processing is all carried out to any file, it can avoid in the prior art due to the more system resource of occupied terminal caused by carrying out virus scan processing to each file the problem of, so as to improve the process performance of terminal.
Description
【Technical field】
The present invention relates to the scan method and device of computer technology, more particularly to a kind of file.
【Background technology】
Virus is the data for the destruction termination function worked out or inserted in the application, and it can influence application program
Normal use and can self-replacation, generally in the form of one group of instruction or program code present.Virus has destructiveness,
Replicability and communicable feature.Terminal can carry out virus scan processing using the file that antivirus engine is stored to terminal,
Even if to find virus document, corresponding defence processing is carried out.
However, by the quantity of documents stored in terminal is more, virus scan processing is carried out to each file, can be taken
The more system resource of terminal, so as to result in the reduction of the process performance of terminal.
【The content of the invention】
The many aspects of the present invention provide a kind of scan method and device of file, to improve the process performance of terminal.
An aspect of of the present present invention, there is provided a kind of scan method of file, including:
Obtain file to be scanned;
At least one of in the size of the file and the characteristic of the file, the file is known
Not, to obtain recognition result;The recognition result including the file is trusted file, the file is insincere file or institute
It is unknown file to state file;
According to the recognition result, virus scan processing is carried out to the unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute
At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot
After fruit, in addition to:
According to the recognition result, the trusted file is carried out to skip processing.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute
At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot
After fruit, in addition to:
According to the recognition result, alarming processing is carried out to the insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the file bag
Include executable file or non-executable file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute
At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot
Fruit, including:
Obtain the size of the file;
If the match is successful for the size of the file and the size of apocrypha, the specified portions content of the file is obtained
Characteristic, the apocrypha include at least one in trusted file and/or insincere file;
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching success, obtain the characteristic of the full content of the file;
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha
Success, obtains the recognition result that the file is trusted file or the file is insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute
At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot
Fruit, in addition to:
If it fails to match for the size of the file and the size of apocrypha, the identification that the file is unknown file is obtained
As a result;Or
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching fails, and obtains the recognition result that the file is unknown file;Or
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha
Failure, obtain the recognition result that the file is unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, it is described according to institute
At least one in the size of file and the characteristic of the file is stated, the file is identified, to obtain identification knot
Before fruit, in addition to:
According to the mistake warning information of any file, using any file as the trusted file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, if described
The match is successful for the size of file and the size of apocrypha, obtains the characteristic of the specified portions content of the file, including:
If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the text is obtained
The characteristic of the M byte of beginning of part, M are the integer more than or equal to 1.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, if described
The match is successful for the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, obtains
The characteristic of the full content of the file is taken, including:
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching success, using the second hash algorithm, obtain the characteristic of the full content of the file.
Another aspect of the present invention, there is provided a kind of scanning means of file, including:
Acquiring unit, for obtaining file to be scanned;
Recognition unit, at least one in the size according to the file and the characteristic of the file, to institute
State file to be identified, to obtain recognition result;The recognition result is trusted file, the file for not including the file
Trusted file or the file are unknown file;
Scanning element, for according to the recognition result, virus scan processing to be carried out to the unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the scanning are single
Member, it is additionally operable to
According to the recognition result, the trusted file is carried out to skip processing.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the scanning are single
Member, it is additionally operable to
According to the recognition result, alarming processing is carried out to the insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the file bag
Include executable file or non-executable file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single
Member, it is specifically used for
Obtain the size of the file;
If the match is successful for the size of the file and the size of apocrypha, the specified portions content of the file is obtained
Characteristic, the apocrypha include at least one in trusted file and/or insincere file;
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching success, obtain the characteristic of the full content of the file;
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha
Success, obtains the recognition result that the file is trusted file or the file is insincere file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single
Member, it is additionally operable to
If it fails to match for the size of the file and the size of apocrypha, the identification that the file is unknown file is obtained
As a result;Or
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching fails, and obtains the recognition result that the file is unknown file;Or
If the characteristic of the full content of the file matches with the characteristic of the full content of the apocrypha
Failure, obtain the recognition result that the file is unknown file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single
Member, it is additionally operable to
According to the mistake warning information of any file, using any file as the trusted file.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single
Member, it is specifically used for
If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the text is obtained
The characteristic of the M byte of beginning of part, M are the integer more than or equal to 1.
Aspect as described above and any possible implementation, it is further provided a kind of implementation, the identification are single
Member, it is specifically used for
If the feature of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha
Data Matching success, using the second hash algorithm, obtain the characteristic of the full content of the file.
As shown from the above technical solution, the embodiment of the present invention is by obtaining file to be scanned, and then according to the file
Size and the file characteristic at least one of, the file is identified, it is described to obtain recognition result
Recognition result including the file is trusted file, the file is insincere file or the file is unknown file so that
Virus scan processing can be carried out, due to only needing that unknown file is carried out to the unknown file according to the recognition result
Virus scan is handled, and is not all to carry out virus scan processing to any file, can be avoided in the prior art due to each
File carries out the problem of more system resource of occupied terminal caused by virus scan processing, so as to improve the processing of terminal
Performance.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file
Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file
File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file
The reliability of poison identification.
【Brief description of the drawings】
Technical scheme in order to illustrate the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
In the required accompanying drawing used be briefly described, it should be apparent that, drawings in the following description be the present invention some realities
Example is applied, for those of ordinary skill in the art, without having to pay creative labor, can also be attached according to these
Figure obtains other accompanying drawings.
Fig. 1 is the schematic flow sheet of the scan method for the file that one embodiment of the invention provides;
Fig. 2 is the structural representation of the scanning means for the file that another embodiment of the present invention provides.
【Embodiment】
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
It should be noted that terminal involved in the embodiment of the present invention can include but is not limited to mobile phone, individual digital
Assistant (Personal Digital Assistant, PDA), wireless handheld device, wireless networking sheet, PC, portable electricity
Brain, MP3 player, MP4 players etc..
In addition, the terms "and/or", only a kind of incidence relation for describing affiliated partner, represents there may be
Three kinds of relations, for example, A and/or B, can be represented:Individualism A, while A and B be present, these three situations of individualism B.Separately
Outside, character "/" herein, it is a kind of relation of "or" to typically represent forward-backward correlation object.
Fig. 1 is the schematic flow sheet of the scan method for the file that one embodiment of the invention provides, as shown in Figure 1.
101st, file to be scanned is obtained.
102nd, at least one in the size of the file and the characteristic of the file, the file is carried out
Identification, to obtain recognition result;The recognition result including the file is trusted file, the file be insincere file or
The file is unknown file.
Wherein, the trusted file, refer to have been able to be confirmed to be no virus document;The insincere file, it is
Finger has been able to be confirmed to be virus document;The unknown file, refer to neither be confirmed to be no virus document, and not
Virus document can be confirmed to be.
So-called virus document, refer to the file for including virus.
103rd, according to the recognition result, virus scan processing is carried out to the unknown file.
So, by carrying out virus scan processing to unknown file, then scanning result can be obtained, and then according to the scanning
As a result the virus defense processing of correlation is carried out, for example, the alarming processing carried out to being identified as virus document, or, for another example
Clearance processing carried out to being identified as no virus document etc., the present embodiment is to this without being particularly limited to
It is understood that in 103, the unknown file of virus scan processing is carried out, is exactly that the file is not
Know the file corresponding to this recognition result of file.
Wherein, virus, also known as computer virus, can include but is not limited to wooden horse, back door, LAN worm, mail
Worm, spyware, infection type virus or Rootkits/Bootkits.
It should be noted that 101~103 executive agent can be antivirus engine, in the client that can be located locally,
To carry out off-line operation to remove virus, or it may be located in the server of network side, to carry out on-line operation to remove
Virus, the present embodiment is to this without limiting.
It is understood that the client can be mounted in the local program (nativeApp) in terminal, or also
Can be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, to provide
Safety system environments objective reality form can, the present embodiment to this without limit.
So, by obtaining file to be scanned, and then according to the size of the file and the characteristic of the file
At least one of in, the file is identified, to obtain recognition result, it is credible that the recognition result, which includes the file,
File, the file are insincere file or the file is unknown file, enabling according to the recognition result, to described
Unknown file carries out virus scan processing, is not to any text due to only needing to carry out virus scan processing to unknown file
Part all carries out virus scan processing, can avoid in the prior art caused by carrying out virus scan processing to each file
The problem of occupied terminal more system resource, so as to improve the process performance of terminal.
Alternatively, in a possible implementation of the present embodiment, in 101, the file to be scanned, refer to
According to scanning range, a file in the file stored in the storage device of identified terminal.Specifically, it is described to wait to sweep
The file retouched, in all files that the storage device being specifically as follows in terminal is stored, according to certain scanning sequency successively
The file of acquisition, or can also be in all files that are stored under the specified path of the storage device of terminal, according to one
The file that fixed scanning sequency obtains successively, the present embodiment is to this without being particularly limited to.
During a concrete implementation, the storage device of the terminal can be specifically as follows with slow storage device
The hard disk of computer system, or can also be physical memory for the inoperative internal memory of mobile phone, for example, read-only storage (Read-
Only Memory, ROM) and RAM card etc., the present embodiment is to this without being particularly limited to.
During another concrete implementation, the storage device of the terminal can also be speedy storage equipment, specifically
It can be the internal memory of computer system, or can also be Installed System Memory for the running memory of mobile phone, for example, random access memory
(Random Access Memory, RAM) etc., the present embodiment is to this without being particularly limited to.
Wherein, the storage device of the terminal can be hard disk, or can also be physics for the inoperative internal memory of mobile phone
Internal memory, for example, read-only storage (Read-Only Memory, ROM) and RAM card etc., the present embodiment is to this without especially limit
It is fixed.
Alternatively, in a possible implementation of the present embodiment, the file can be executable file
(executable file).Specifically, executable file, it is the file that portable can perform (PE) file format, it can add
It is downloaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but is not limited to .exe,
.sys and .scr, etc..
Alternatively, in a possible implementation of the present embodiment, the file can be non-executable file.Tool
Body, non-executable file, it is the alternative document in addition to executable file.
Alternatively,, can also be further according to institute after 102 in a possible implementation of the present embodiment
Recognition result is stated, the trusted file is carried out to skip processing.
It is exactly that the file is trusted file it is understood that herein, skip the trusted file of processing
File corresponding to this recognition result.Due to having been able to confirm that this document is no virus document, it is therefore not necessary to again to this
A little trusted files carry out virus scan processing, directly carry out skipping processing, continue executing with 101, next wait to sweep to obtain
The file retouched.So, due to only needing to carry out virus scan processing to unknown file so that no longer carry out virus to trusted file
Scan process, but directly carry out skipping processing, the efficiency of virus identification can be effectively improved.
Alternatively,, can also be further according to institute after 102 in a possible implementation of the present embodiment
Recognition result is stated, alarming processing is carried out to the insincere file.
It is exactly that the file is insincere it is understood that herein, carrying out the insincere file of alarming processing
File corresponding to this recognition result of file.Due to having been able to confirm that this document is virus document, it is therefore not necessary to again to this
A little trusted files carry out virus scan processing, directly progress alarming processing, continue executing with 101, next wait to sweep to obtain
The file retouched.So, due to only needing to carry out virus scan processing to unknown file so that no longer carry out disease to insincere file
Malicious scan process, but alarming processing is directly performed, the efficiency of virus identification can be effectively improved.
Alternatively, in a possible implementation of the present embodiment, in 102, the file can specifically be obtained
Size.If the match is successful for the size of the file and the size of apocrypha, the finger of the file can be further obtained
Determine the characteristic of partial content, the apocrypha includes at least one in trusted file and/or insincere file.If institute
Stating the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, the match is successful,
It then can further obtain the characteristic of the full content of the file.If the characteristic of the full content of the file with
The match is successful for the characteristic of the full content of the apocrypha, then can further obtain the file for trusted file or
The file is the recognition result of insincere file.
During a concrete implementation, the characteristic of the specified portions content of the file, and the file
Full content characteristic, be specifically as follows static nature, so-called static nature, it can be understood as based on the text being not carried out
Part is as basis of characterization, or can also be behavioral characteristics, so-called behavioral characteristics, it can be understood as the file conduct based on execution
Basis of characterization, the present embodiment is to this without being particularly limited to.
Specifically, the first hash algorithm can be specifically utilized, for example, (the Cyclical of CRC 32
Redundancy Check, CRC32) algorithm, Adler32 or Message Digest 5 fourth edition (Message Digest
Algorithm4, MD4) scheduling algorithm, the characteristic of the M byte of beginning of the file is obtained, M is whole more than or equal to 1
Number.
Specifically, the second hash algorithm can be specifically utilized, for example, Message Digest Algorithm 5 (Message
Digest Algorithm5, MD5) or SHA 256 (Secure Hash Algorithm, SHA256) scheduling algorithm,
Obtain the characteristic of the full content of the file.
Further, if it fails to match for the size of the file and the size of apocrypha, it is unknown to obtain the file
The recognition result of file.
Further, if in the characteristic of the specified portions content of the file and the specified portions of the apocrypha
It fails to match for the characteristic of appearance, obtains the recognition result that the file is unknown file.
Further, if the characteristic of the full content of the file and the feature of the full content of the apocrypha
Data Matching fails, and obtains the recognition result that the file is unknown file.
During a concrete implementation, according to some known trusted files and/or insincere file, one is established
Database.Some existing file recognition algorithms can specifically be utilized for example, characteristic matching etc., by some files, identifying can
Message part or insincere file, the present embodiment is to this without being particularly limited to.It can specifically include but is not limited in the database
Following content:
The type of file;
The size of file;
The characteristic of the specified portions content of file;And
The characteristic of the full content of file.
The type of the file, to indicate that file is trusted file or insincere file, it can generally be represented with 32.
Wherein, trusted file, refer to have been able to be confirmed to be no virus document;Insincere file, refer to have been able to be identified
For virus document.For example, 0 instruction file is trusted file, 1 instruction file is insincere file, or, for another example 1 instruction text
Part is trusted file, and 0 instruction file is insincere file, and the present embodiment is to this without being particularly limited to.
It should be noted that specifically can be according to the difference of the type of file, by corresponding to the file with same type
Data, form the list of a same kind file, for example, the white list that is formed as the data corresponding to trusted file or
The blacklist formed as the data corresponding to insincere file.
The size of the file, to indicate the actual byte number having of the content of file, its value specifically can basis
The maximum limitation of the size of file, sets the digit of different length to represent, can generally be represented with 32.
The characteristic of the specified portions content of the file, the specified portions content of a file can be reflected
The characteristics of different from other files, its value according to the type of the first hash algorithm, can specifically set the digit of different length
To represent, 32 cryptographic Hash for representing that CRC32 algorithms are calculated can be generally used.
In general, specifically can be fixed in advance according to the digital independent order of file, and the digital independent unit of file
The justice specified portions content.For example, if the digital independent unit of file is cluster, the default size of cluster is 4K bytes, then,
The specified portions content of the file can then be defined as the beginning 4K bytes of file.
The characteristic of the full content of the file, can reflect that the full content of a file is different from it
The characteristics of its file, it can specifically be set as the unique mark of file, its value according to the type of the second hash algorithm
The digit of different length represents, can generally use 128 cryptographic Hash for representing that MD5 calculated.
Further, if the type of file is insincere file, also need to further comprise viral name in the database
Claim information, for example, Virus Name length and Virus Name.
During another concrete implementation, the size of acquired file can be specifically utilized, it is specific at upper one
Implementation process in the database established, carry out first time matching, with determine the size of the file whether with the number
According to the size of file included in storehouse, the match is successful.
If the match is successful, the characteristic of the specified portions content of acquired file can be further utilized,
In the database, carry out second and match, with determine the characteristic of the specified portions content of the file whether with it is described
The match is successful for the characteristic of the specified portions content of included file in database.If without the match is successful, institute is obtained
State the recognition result that file is unknown file.
If the match is successful, the characteristic of the full content of acquired file can be further utilized, described
In database, carry out third time matching, with determine the characteristic of the full content of the file whether with the database
The characteristic of the full content of included file.If without the match is successful, the knowledge that the file is unknown file is obtained
Other result.
If the match is successful, can by the file that the match is successful file type, as the file to be scanned
Recognition result, i.e., described file is trusted file or the file is insincere file.If without the match is successful, institute is obtained
State the recognition result that file is unknown file.
It is understood that so-called, the match is successful, can be specifically defined according to the demand of matching.Specifically, may be used
Think that data to be matched are completely the same, i.e. matching or accurate matching completely, or can also be data basic one to be matched
Cause, i.e. Incomplete matching or fuzzy matching, the present embodiment is to this without being particularly limited to.
Due to some reasons, for example, the logic of virus scan processing goes wrong, or, for another example the volume of file itself
Problem, etc. is translated, can not be the file of virus document by some, be erroneously identified as virus document, and then this document is entered
Row alarming processing.That is, warning information caused by the alarming processing carried out to this file, is a wrong announcement
Alert information misses warning information.So-called warning information by mistake can be specifically gathered by number of ways, for example, operating personnel are accusing
Manually investigated in alert record, or, for another example active feedback of user, etc..For such case, in the present embodiment
A possible implementation in, before 102, can also further according to the mistake warning information of any file, will described in
Any file is as the trusted file.
So, by the mistake warning information according to any file, using any file as the trusted file, to keep away
Exempt from subsequently to continue to carry out alarming processing to any file, the reliability of virus identification can be effectively improved.
In the present embodiment, by obtaining file to be scanned, and then according to the size of the file and the spy of the file
At least one in data is levied, the file is identified, to obtain recognition result, the recognition result includes the file
For trusted file, the file be insincere file or the file is unknown file, enabling according to the recognition result,
Virus scan processing is carried out to the unknown file, is not pair due to only needing to carry out virus scan processing to unknown file
Any file all carries out virus scan processing, can avoid in the prior art due to each file carry out virus scan processing and
The problem of caused occupied terminal more system resource, so as to improve the process performance of terminal.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file
Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file
File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file
The reliability of poison identification.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement because
According to the present invention, some steps can use other orders or carry out simultaneously.Secondly, those skilled in the art should also know
Know, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiment.
Fig. 2 is the structural representation of the scanning means for the file that another embodiment of the present invention provides, as shown in Figure 2.This reality
Acquiring unit 21, recognition unit 22 and scanning element 23 can be included by applying the scanning means of the file of example.Wherein, acquiring unit
21, for obtaining file to be scanned;Recognition unit 22, for the size according to the file and the characteristic of the file
At least one of in, the file is identified, to obtain recognition result;It is credible that the recognition result, which includes the file,
File, the file are insincere file or the file is unknown file;Scanning element 23, for being tied according to the identification
Fruit, virus scan processing is carried out to the unknown file.
Wherein, the trusted file, refer to have been able to be confirmed to be no virus document;The insincere file, it is
Finger has been able to be confirmed to be virus document;The unknown file, refer to neither be confirmed to be no virus document, and not
Virus document can be confirmed to be.
It should be noted that the scanning means that the present embodiment is provided can be antivirus engine, the visitor that can be located locally
In the end of family, to carry out off-line operation to remove virus, or it may be located in the server of network side, to carry out on-line operation
To remove virus, the present embodiment is to this without limiting.
It is understood that the client can be mounted in the local program (nativeApp) in terminal, or also
Can be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, to provide
Safety system environments objective reality form can, the present embodiment to this without limit.
Alternatively, in a possible implementation of the present embodiment, the scanning element 23, can also further use
According to the recognition result, the trusted file is carried out to skip processing.
Alternatively, in a possible implementation of the present embodiment, the scanning element 23, can also further use
According to the recognition result, alarming processing is carried out to the insincere file.
Alternatively, in a possible implementation of the present embodiment, the file can be executable file
(executable file).Specifically, executable file, it is the file that portable can perform (PE) file format, it can add
It is downloaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but is not limited to .exe,
.sys and .scr, etc..
Alternatively, in a possible implementation of the present embodiment, the file can be non-executable file.Tool
Body, non-executable file, it is the alternative document in addition to executable file.
Alternatively, in a possible implementation of the present embodiment, the recognition unit 22, specifically can be used for obtaining
Take the size of the file;If the match is successful for the size of the file and the size of apocrypha, specifying for the file is obtained
The characteristic of partial content, the apocrypha include at least one in trusted file and/or insincere file;It is if described
The match is successful for the characteristic of the characteristic of the specified portions content of file and the specified portions content of the apocrypha, obtains
Take the characteristic of the full content of the file;If the characteristic of the full content of the file and the apocrypha
The match is successful for the characteristic of full content, obtains the identification that the file is trusted file or the file is insincere file
As a result.
During a concrete implementation, the characteristic of the specified portions content of the file, and the file
Full content characteristic, be specifically as follows static nature.So-called static nature, it can be understood as the spy based on file
Levy basis of characterization of the code as file.
Specifically, the recognition unit 22, if specifically can be used for the size of the file and the size of apocrypha
With success, using the first hash algorithm, for example, CRC 32 (Cyclical Redundancy Check,
CRC32) algorithm, Adler32 or Message Digest 5 fourth edition (Message Digest Algorithm4, MD4) etc., obtain
The characteristic of the M byte of beginning of the file, M are the integer more than or equal to 1.
Specifically, the recognition unit 22, if specifically can be used for the characteristic of the specified portions content of the file
The match is successful with the characteristic of the specified portions content of the apocrypha, using the second hash algorithm, for example, eap-message digest
Algorithm the 5th edition (Message Digest Algorithm5, MD5) or (the Secure Hash of SHA 256
Algorithm, SHA256) etc., obtain the characteristic of the full content of the file.
Further, the recognition unit 22, if the size and apocrypha of the file can also be further used for
It fails to match for size, obtains the recognition result that the file is unknown file.
Further, the recognition unit 22, if the spy of the specified portions content of the file can also be further used for
It fails to match for the characteristic of sign data and the specified portions content of the apocrypha, obtains the file as unknown file
Recognition result.
Further, the recognition unit 22, if the characteristic of the full content of the file can also be further used for
According to the characteristic of the full content with the apocrypha, it fails to match, obtains the identification knot that the file is unknown file
Fruit.
Due to some reasons, for example, the logic of virus scan processing goes wrong, or, for another example the volume of file itself
Problem, etc. is translated, some can not had virus document, is erroneously identified as virus document, and then this document is alerted
Processing.That is, warning information caused by the alarming processing carried out to this file, is a wrong warning information
Miss warning information.For such case, in a possible implementation of the present embodiment, the recognition unit 22, go back
The mistake warning information according to any file can be further used for, using any file as the trusted file.
It should be noted that method in embodiment corresponding to Fig. 1, the scanning means for the file that can be provided by the present embodiment
Realize.The related content that may refer in embodiment corresponding to Fig. 1 is described in detail, here is omitted.
In the present embodiment, file to be scanned is obtained by acquiring unit, and then by recognition unit according to the file
At least one of in size and the characteristic of the file, the file is identified, to obtain recognition result, the knowledge
Other result including the file is trusted file, the file is insincere file or the file is unknown file so that is swept
Virus scan processing can be carried out, due to only needing to unknown text according to the recognition result to the unknown file by retouching unit
Part carry out virus scan processing, be not that virus scan processing is all carried out to any file, can avoid in the prior art due to
The problem of more system resource of occupied terminal caused by virus scan processing is carried out to each file, so as to improve terminal
Process performance.
In addition, using technical scheme provided by the invention, due to only needing to carry out virus scan processing, energy to unknown file
Enough effectively improve the efficiency of virus identification.
In addition, using technical scheme provided by the invention, will be described any by the mistake warning information according to any file
File, to avoid subsequently continuing carrying out alarming processing to any file, can effectively improve disease as the trusted file
The reliability of poison identification.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of equipment and unit, the corresponding process in preceding method embodiment is may be referred to, will not be repeated here.
In several embodiments provided by the present invention, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, apparatus embodiments described above are only schematical, for example, the unit
Division, only a kind of division of logic function, can there is other dividing mode, such as multiple units or component when actually realizing
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The mutual coupling discussed or direct-coupling or communication connection can be the indirect couplings by some interfaces, equipment or unit
Close or communicate to connect, can be electrical, mechanical or other forms.
The unit illustrated as separating component can be or may not be physically separate, show as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, can also be realized in the form of hardware adds SFU software functional unit.
The above-mentioned integrated unit realized in the form of SFU software functional unit, can be stored in one and computer-readable deposit
In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are causing a computer
It is each that equipment (can be personal computer, server, or network equipment etc.) or processor (processor) perform the present invention
The part steps of embodiment methods described.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read-
Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. it is various
Can be with the medium of store program codes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used
To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic;
And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and
Scope.
Claims (16)
- A kind of 1. scan method of file, it is characterised in that including:Obtain file to be scanned;At least one of in the size of the file and the characteristic of the file, the file is identified, with Obtain recognition result;The recognition result including the file is trusted file, the file is insincere file or the text Part is unknown file;According to the recognition result, virus scan processing is carried out to the unknown file;Wherein, at least one in the size of the file and the characteristic of the file, enters to the file Row identification, to obtain recognition result, including:Obtain the size of the file;If the match is successful for the size of the file and the size of apocrypha, the feature of the specified portions content of the file is obtained Data, the apocrypha include at least one in trusted file and/or insincere file;If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, obtains the characteristic of the full content of the file;If the match is successful for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is trusted file or the file is insincere file.
- 2. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, after obtaining recognition result, in addition to:According to the recognition result, the trusted file is carried out to skip processing.
- 3. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, after obtaining recognition result, in addition to:According to the recognition result, alarming processing is carried out to the insincere file.
- 4. according to the method for claim 1, it is characterised in that the file includes executable file or non-executable text Part.
- 5. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file At least one in data is levied, the file is identified, to obtain recognition result, in addition to:If it fails to match for the size of the file and the size of apocrypha, the identification knot that the file is unknown file is obtained Fruit;OrIf the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha It fails to match, obtains the recognition result that the file is unknown file;OrIf it fails to match for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is unknown file.
- 6. according to the method for claim 1, it is characterised in that described according to the size of the file and the spy of the file Levy in data at least one of, the file is identified, with before obtaining recognition result, in addition to:According to the mistake warning information of any file, using any file as the trusted file.
- 7. according to the method for claim 1, it is characterised in that if the size of the file and the size of apocrypha The match is successful, obtains the characteristic of the specified portions content of the file, including:If the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the file is obtained Start the characteristic of M byte, M is the integer more than or equal to 1.
- 8. according to the method for claim 1, it is characterised in that if the characteristic of the specified portions content of the file According to the characteristic of the specified portions content with the apocrypha, the match is successful, obtains the feature of the full content of the file Data, including:If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, using the second hash algorithm, obtains the characteristic of the full content of the file.
- A kind of 9. scanning means of file, it is characterised in that including:Acquiring unit, for obtaining file to be scanned;Recognition unit, at least one in the size according to the file and the characteristic of the file, to the text Part is identified, to obtain recognition result;The recognition result including the file is trusted file, the file is insincere File or the file are unknown file;Scanning element, for according to the recognition result, virus scan processing to be carried out to the unknown file;The recognition unit, is specifically used forObtain the size of the file;If the match is successful for the size of the file and the size of apocrypha, the feature of the specified portions content of the file is obtained Data, the apocrypha include at least one in trusted file and/or insincere file;If the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, obtains the characteristic of the full content of the file;If the match is successful for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is trusted file or the file is insincere file.
- 10. device according to claim 9, it is characterised in that the scanning element, be additionally operable to be tied according to the identification Fruit, the trusted file is carried out to skip processing.
- 11. device according to claim 9, it is characterised in that the scanning element, be additionally operable to be tied according to the identification Fruit, alarming processing is carried out to the insincere file.
- 12. device according to claim 9, it is characterised in that the file includes executable file or non-executable text Part.
- 13. device according to claim 9, it is characterised in that the recognition unit, if being additionally operable to the size of the file It fails to match with the size of apocrypha, obtains the recognition result that the file is unknown file;OrIf the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha It fails to match, obtains the recognition result that the file is unknown file;OrIf it fails to match for the characteristic of the full content of the characteristic of the full content of the file and the apocrypha, Obtain the recognition result that the file is unknown file.
- 14. device according to claim 9, it is characterised in that the recognition unit, be additionally operable to the mistake according to any file Warning information, using any file as the trusted file.
- 15. device according to claim 9, it is characterised in that the recognition unit, be specifically used forIf the match is successful for the size of the file and the size of apocrypha, using the first hash algorithm, the file is obtained Start the characteristic of M byte, M is the integer more than or equal to 1.
- 16. device according to claim 9, it is characterised in that the recognition unit, be specifically used forIf the characteristic of the characteristic of the specified portions content of the file and the specified portions content of the apocrypha The match is successful, using the second hash algorithm, obtains the characteristic of the full content of the file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410472180.3A CN104239795B (en) | 2014-09-16 | 2014-09-16 | The scan method and device of file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410472180.3A CN104239795B (en) | 2014-09-16 | 2014-09-16 | The scan method and device of file |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104239795A CN104239795A (en) | 2014-12-24 |
CN104239795B true CN104239795B (en) | 2017-11-24 |
Family
ID=52227837
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410472180.3A Active CN104239795B (en) | 2014-09-16 | 2014-09-16 | The scan method and device of file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104239795B (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104680066A (en) * | 2015-01-26 | 2015-06-03 | 安一恒通(北京)科技有限公司 | Method and device used for preventing misjudgment of antivirus software |
CN105912946A (en) * | 2016-04-05 | 2016-08-31 | 上海上讯信息技术股份有限公司 | Document detection method and device |
CN106708555B (en) * | 2016-06-29 | 2019-01-22 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus loading plug-in unit |
CN110688658B (en) * | 2019-10-09 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Unknown virus infection tracing method, device and system |
CN111159710A (en) * | 2020-04-07 | 2020-05-15 | 四川新网银行股份有限公司 | Method for regularly scanning computer virus |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1282283A2 (en) * | 2001-07-26 | 2003-02-05 | Networks Associates Technology, Inc. | Malware scanning using a network bridge |
CN102457841A (en) * | 2010-10-28 | 2012-05-16 | 西门子公司 | Method and device for detecting virus |
CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
CN102789558A (en) * | 2011-05-20 | 2012-11-21 | 北京网秦天下科技有限公司 | Method and device for analyzing program installation and program operation in mobile device |
CN102799823A (en) * | 2012-07-13 | 2012-11-28 | 北京江民新科技术有限公司 | Virus detection method and system |
CN102822839A (en) * | 2009-12-31 | 2012-12-12 | 迈克菲股份有限公司 | Malware detection via reputation system |
CN103425928A (en) * | 2012-05-17 | 2013-12-04 | 富泰华工业(深圳)有限公司 | Virus killing system and method for electronic device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7107617B2 (en) * | 2001-10-15 | 2006-09-12 | Mcafee, Inc. | Malware scanning of compressed computer files |
-
2014
- 2014-09-16 CN CN201410472180.3A patent/CN104239795B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1282283A2 (en) * | 2001-07-26 | 2003-02-05 | Networks Associates Technology, Inc. | Malware scanning using a network bridge |
CN102822839A (en) * | 2009-12-31 | 2012-12-12 | 迈克菲股份有限公司 | Malware detection via reputation system |
CN102457841A (en) * | 2010-10-28 | 2012-05-16 | 西门子公司 | Method and device for detecting virus |
CN102789558A (en) * | 2011-05-20 | 2012-11-21 | 北京网秦天下科技有限公司 | Method and device for analyzing program installation and program operation in mobile device |
CN103425928A (en) * | 2012-05-17 | 2013-12-04 | 富泰华工业(深圳)有限公司 | Virus killing system and method for electronic device |
CN102768717A (en) * | 2012-06-29 | 2012-11-07 | 腾讯科技(深圳)有限公司 | Malicious file detection method and malicious file detection device |
CN102799823A (en) * | 2012-07-13 | 2012-11-28 | 北京江民新科技术有限公司 | Virus detection method and system |
Also Published As
Publication number | Publication date |
---|---|
CN104239795A (en) | 2014-12-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9576131B2 (en) | Malware detection system and method for mobile platforms | |
CN104239795B (en) | The scan method and device of file | |
US9654486B2 (en) | System and method for generating sets of antivirus records for detection of malware on user devices | |
CN104217165B (en) | The processing method of file and device | |
US10165001B2 (en) | Method and device for processing computer viruses | |
US9015814B1 (en) | System and methods for detecting harmful files of different formats | |
US10339312B2 (en) | System and method for detecting malicious compound files | |
US20130145471A1 (en) | Detecting Malware Using Stored Patterns | |
EP3136276B1 (en) | System and method for detecting harmful files executable on a virtual stack machine | |
US20150186649A1 (en) | Function Fingerprinting | |
CN110417768B (en) | Botnet tracking method and device | |
US20200412740A1 (en) | Methods, devices and systems for the detection of obfuscated code in application software files | |
CN108319853B (en) | Virus characteristic code processing method and device | |
CN103699838B (en) | The recognition methods of virus and equipment | |
CN112580040B (en) | Method and device for unshelling file shell, storage medium and electronic device | |
CN112580038A (en) | Anti-virus data processing method, device and equipment | |
CN104657664B (en) | The processing method and equipment of virus | |
CN104199925B (en) | Ile repair method and device | |
CN112580032B (en) | File shell identification method and device, storage medium and electronic device | |
EP3151148B1 (en) | System and method for generating sets of antivirus records for detection of malware on user devices | |
CN108964882B (en) | Method and device for dynamically generating modem login password and modem | |
CN106934286B (en) | Safety diagnosis method and device and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |