CN104268080A

CN104268080A - Software exception handling method and device

Info

Publication number: CN104268080A
Application number: CN201410498362.8A
Authority: CN
Inventors: 周奕; 陈志强; 朱瑞闻; 王鑫骅; 陈俊强; 朱显章; 刘桂峰; 姚辉
Original assignee: Beijing Kingsoft Internet Security Software Co Ltd
Current assignee: Beijing Kingsoft Internet Security Software Co Ltd
Priority date: 2014-09-25
Filing date: 2014-09-25
Publication date: 2015-01-07

Abstract

The embodiment of the invention discloses a software exception handling method, which comprises the following steps: receiving monitoring data aiming at key points of software reported by terminal equipment; the monitoring data comprises whether the key points of the software are abnormal or not; counting the monitoring data; judging whether the monitoring data meet preset conditions or not according to the statistical result; if the requirements are met, corresponding processing is carried out according to a set rule. The embodiment of the invention also discloses software exception handling equipment and a server. By adopting the embodiment of the invention, the software running conditions running on different terminal devices can be monitored from the global perspective, and the efficiency of discovering and processing software abnormity is improved.

Description

A kind of software anomaly disposal route and equipment

Technical field

The present invention relates to Internet technical field, particularly relate to a kind of software anomaly disposal route and equipment.

Background technology

Along with the high speed development of Internet technology, internet becomes a part indispensable in people's Working Life gradually.But meanwhile, network application environment also becomes day by day complicated, people in the process using internet, be subject to the network attack such as computer virus, wooden horse threaten and the situation of the software anomaly that causes user to use also gradually to frequentization, variation differentiation, allow user be difficult to strick precaution.

In prior art, for software anomaly situation, the user self normally belonged to by the terminal device that software anomaly occurs is by reinstalling software, or the repair procedure using software to carry is repaired, namely software anomaly discovery and process are confined to individuality, cannot realize monitoring from the angle of the overall situation the running software situation that different terminal equipment runs, and Timeliness coverage software anomaly.

Summary of the invention

Embodiment of the present invention technical matters to be solved is, provides a kind of software anomaly disposal route and equipment.Can realize monitoring the running software situation that different terminal equipment runs from the angle of the overall situation, improve the efficiency that software anomaly finds and processes.

In order to solve the problems of the technologies described above, embodiments provide a kind of software anomaly disposal route, comprising:

The Monitoring Data of the key point for software that receiving terminal apparatus reports; Whether the described key point that described Monitoring Data comprises described software there is exception;

Described Monitoring Data is added up;

Judge whether described Monitoring Data meets according to statistics pre-conditioned;

If meet, according to the rule of setting, carry out corresponding process.

Correspondingly, the embodiment of the present invention additionally provides a kind of software anomaly treatment facility, comprising:

Receiver module, for the Monitoring Data of the key point for software that receiving terminal apparatus reports; Whether the described key point that described Monitoring Data comprises described software there is exception;

Statistical module, adds up described Monitoring Data;

Judge module, pre-conditioned for judging according to statistics whether described Monitoring Data meets;

Processing module, for when described judge module is judged as meeting, according to the rule of setting, carries out corresponding process.

Correspondingly, the embodiment of the present invention additionally provides a kind of service end, comprises software anomaly treatment facility as above.

Implement the embodiment of the present invention, there is following beneficial effect:

When the Monitoring Data of the key point for software that receiving terminal apparatus reports, by adding up this Monitoring Data, and it is pre-conditioned to judge whether Monitoring Data meets according to statistics, and then when being judged as YES, corresponding process is carried out according to the regular of setting, achieve and from the angle of the overall situation, the running software situation that different terminal equipment runs is monitored, improve the efficiency that software anomaly finds and processes.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

Fig. 1 is the schematic flow sheet of a kind of software anomaly disposal route that the embodiment of the present invention provides;

Fig. 2 is the schematic flow sheet of the another kind of software anomaly disposal route that the embodiment of the present invention provides;

Fig. 3 is the schematic flow sheet of the another kind of software anomaly disposal route that the embodiment of the present invention provides;

Fig. 4 is the structural representation of a kind of software anomaly treatment facility that the embodiment of the present invention provides;

Fig. 5 is the structural representation of the another kind of software anomaly treatment facility that the embodiment of the present invention provides;

Fig. 6 is the structural representation of the another kind of software anomaly treatment facility that the embodiment of the present invention provides.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

As shown in Figure 1, be the schematic flow sheet of a kind of recovery of MMDB method that the embodiment of the present invention provides, can comprise the following steps:

The Monitoring Data of the key point for software that step 101, receiving terminal apparatus report, whether the key point that this Monitoring Data comprises this software there is exception.

In the embodiment of the present invention, said method can be applied in security classes software, as Jinshan anti-virus software, Kingsoft bodyguard, mobile phone poison despot etc., service end, this service end can be hard-wired service end, as server, also can be the service end of software simulating, as service system, the embodiment of the present invention does not limit this, for ease of describing, in the embodiment of the present invention, be that executive agent is described with service end, but should be noted that, the executive agent of the embodiment of the present invention is not limited to service end, and be not limited to in security classes software, every equipment can implementing the embodiment of the present invention, device or system all belong to the scope of the required protection of the embodiment of the present invention.

In the embodiment of the present invention, terminal device can comprise PC (Personal Computer, personal computer), smart mobile phone, panel computer etc., and the embodiment of the present invention does not limit.

In the embodiment of the present invention, software can comprise the system software, application software etc. that run in terminal device, and the embodiment of the present invention does not limit.

In the embodiment of the present invention, the key point of software can include but not limited to following one or more:

Critical file, registry entry, environmental variance.

Wherein, this critical file can include but not limited to following one or more:

System file, program file, configuration file.

In the embodiment of the present invention, terminal device can carry out Real-Time Monitoring to the key point of the software run, and timing reports Monitoring Data to service end, this Monitoring Data includes but not limited to whether the key point of software exception occurs, such as, terminal device can carry out Real-Time Monitoring to the registry entry of system software, and on every 5 minutes, service end reports the registry entry of primary system software whether exception etc. occurs.

Step 102, this Monitoring Data to be added up.

Step 103, to judge whether Monitoring Data meets according to statistics pre-conditioned.If be judged as YES, go to step 104; Otherwise go to step 101.

In the embodiment of the present invention, after service end receives the Monitoring Data of the key point for software that terminal device reports, timing can be added up by this Monitoring Data, and according to statistics, running software situation is analyzed.Such as, service end can once be added up the Monitoring Data that terminal device reports for every 10 minutes, and analyzes running software situation according to statistics.

As the optional embodiment of one, in above-mentioned steps 102, carrying out statistics to Monitoring Data can comprise:

According to Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point.

Correspondingly, in above-mentioned steps 103, judge whether Monitoring Data meets according to statistics pre-conditioned, can comprise:

According to the quantity of the current still abnormal terminal device of same key point, whether what judge the quantity of the current still abnormal terminal device of this key point of this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of the current still abnormal terminal device of same key point, judge whether the chain rate of the quantity of the current still abnormal terminal device of this key point every day reaches chain rate threshold value.

Wherein, above-mentioned can be on year-on-year basis this Monday 2:00 statistics and last Monday 2:00 the ratio of statistics, or Monday this month first 2:00 statistics and last Monday 2:00 the ratio of statistics, or the ratio of the statistics of the statistics of first month first in this year 2:00 Monday and first month first last year 2:00 Monday (lower with); Chain rate can be the statistics on the same day (can be the statistics added up for the last time the same day) and the ratio (lower same) of the statistics of upper one day.

For example, with service end integral point every day (namely 1:00,2:00 ..., 24:00) to Monitoring Data carry out adding up for example (Monitoring Data that every day, 1:00 reported terminal device during same day 0:00 ~ 1:00 is added up, every day 2:00 the Monitoring Data that terminal device during same day 1:00 ~ 2:00 reports is added up ... every day, 24:00 added up the Monitoring Data that terminal device during same day 23:00 to 24:00 reports).

Suppose that preset time period is one week, service end, when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up is: the current still abnormal terminal device quantity of application software 1 registry entry is A1, then the current still abnormal terminal device of this this key point of statistics moment quantity can be the ratio (i.e. A1/A2*100%) of the quantity (being assumed to be A2) of the current still abnormal terminal device quantity of 2:00 application software 1 registry entry this Monday and the current still abnormal terminal device of 2:00 application software 1 registry entry last Monday on year-on-year basis, suppose that service end is when 24:00 this Monday, according to the result (i.e. the statistics on same day this Monday) that Monitoring Data carries out adding up be: the current still abnormal terminal device quantity of application software 1 registry entry is B1, then the chain rate of the quantity of the current still abnormal terminal device of this key point current every day can be that the quantity of the current still abnormal terminal device quantity of 24:00 application software 1 registry entry this Monday and the current still abnormal terminal device of 24:00 application software 1 registry entry upper one day (namely goes up the statistics on a same day, be assumed to be B2) ratio (i.e. B1/B2*100%).

As the optional embodiment of another kind, in above-mentioned steps 201, carrying out statistics to Monitoring Data can comprise:

According to Monitoring Data, the statistics same day there is the quantity of abnormal terminal device in same key point.

Correspondingly, in above-mentioned steps 301, judge whether Monitoring Data meets according to statistics pre-conditioned, comprising:

The quantity of abnormal terminal device occurred according to same key point the same day, and whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

There is the quantity of abnormal terminal device according to same key point the same day, judged whether the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches chain rate threshold value.

Suppose that preset time period is one week, service end is when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up be: the quantity that abnormal terminal device (when adding up when comprising 2:00 this Monday, abnormal terminal device occurs application software 1 registry entry, and abnormal terminal device occurs application software 1 registry entry added up during 1:00 this Monday) occurred the same day application software 1 registry entry is C1, then every day this this key point of statistics moment occurred the quantity of abnormal terminal device on year-on-year basis can for this Monday 2:00 statistics application software 1 registry entry to there is the ratio (i.e. C1/C2*100%) that the quantity (being assumed to be C2) of abnormal terminal device occurred the same day for abnormal terminal device quantity and application software 1 registry entry that last Monday, 2:00 added up the same day, suppose that service end is when 24:00 this Monday, according to the result (i.e. the statistics on same day this Monday) that Monitoring Data carries out adding up be: application software 1 registry entry the same day abnormal terminal device occurred and (comprises all statistics moment on the same day, i.e. 1:00, 2:00, 24:00, there is abnormal terminal device in application software 1 registry entry of statistics) quantity is D1, then every day this key point occurred the quantity of abnormal terminal device chain rate can for this Monday 24:00 statistics application software 1 registry entry to there is the quantity that abnormal terminal device occurred the same day still abnormal terminal device quantity and application software 1 registry entry that upper one day, 24:00 added up the same day and (namely went up the statistics on a same day, be assumed to be D2) ratio (i.e. D1/D2*100%).

Such as, when supposing 1:00 this Monday, abnormal terminal device (terminal device that namely same day is still abnormal) occurs application software 1 registry entry of statistics is A1; During 2:00, abnormal terminal device occurs application software 1 registry entry of statistics is A1, A3; During 3:00, abnormal terminal device occurs for application software 1 registry entry of statistics is A2, A3, then can 3:00 on the same day time, it is A1, A2, A3 that abnormal terminal device occurred.

As the optional embodiment of another kind, in above-mentioned steps 102, Monitoring Data is added up, comprising:

According to Monitoring Data, add up the quantity that abnormal newly-increased terminal device occurs same key point.

Judge whether the quantity of the newly-increased terminal device that the generation of this key point is abnormal reaches threshold value.

Wherein, the quantity that abnormal newly-increased terminal device occurs key point refers to that in current statistic result, key point occurs abnormal, and the quantity of the terminal device of this key point no exceptions in last time statistics.

Suppose that service end is when 2:00, according to the result that the Monitoring Data received carries out adding up be: abnormal terminal device occurs application software 1 registry entry is terminal 1, terminal 2, terminal n, then can there is abnormal terminal device (i.e. terminal 1 according to this application software 1 registry entry in service end, terminal 2, terminal n) identification information, with above unify timing and carve the identification information that abnormal terminal device occurs application software 1 registry entry that (i.e. the same day 1:00) add up and mate, if do not match, then think that this terminal device is that abnormal newly-increased terminal device occurs this key point, suppose terminal 1, terminal 2, terminal m is the terminal device of key point generation exception in the statistics of 2:00, and be not that abnormal terminal device occurs this key point in the statistics of 1:00 on the same day, then service end according to the statistics of this Monitoring Data is: the quantity that abnormal newly-increased terminal device occurs this statistics moment key point is m.

As the optional embodiment of another kind, in above-mentioned steps 102, carrying out statistics to Monitoring Data can comprise:

According to Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point, and the same day there is the quantity of abnormal terminal device in this key point.

Judge whether quantity and the ratio that the same day, the quantity of abnormal terminal device occurred this key point of the current still abnormal terminal device of this key point reach threshold value.

Suppose service end on Monday 2:00 time, the quantity counting the current still abnormal terminal device of application software 1 registry entry according to Monitoring Data is E1, the same day there is the abnormal terminal device (terminal device that the application software 1 registry entry generation added up during 2:00 is abnormal in application software 1 registry entry, and during 1:00 on the same day there is abnormal terminal device in (the statistics moment before this statistics moment on the same day) application software 1 registry entry of adding up) quantity be E2, then the current still abnormal terminal device of this key point of service end statistics quantity and the same day this key point the ratio of the quantity of abnormal terminal device occurred is E1/E2*100%.

As the optional embodiment of another kind, in above-mentioned steps 102, Monitoring Data is added up, can comprise:

Add up the quantity of current online terminal device.

Correspondingly, judge whether this Monitoring Data reaches the threshold value of setting according to statistics, can comprise:

According to the quantity of current online terminal device, whether what judge the quantity of the terminal device that this statistics moment is online reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of current online terminal device, judge whether the chain rate of the quantity of the terminal device that every day is online reaches chain rate threshold value.

In the embodiment of the present invention, according to whether receiving the Monitoring Data that terminal device reports, service end can judge that whether terminal device is online, namely, when service end is added up according to Monitoring Data, service end can think that at the terminal device of the upper Monitoring Data that this statistics moment the is nearest Monitoring Data that reported the moment to report be online terminal device.

Such as, suppose terminal device 0:30 every day, 1:00,1:30 ..., 24:00 carries out a Monitoring Data and reports (per half an hour carries out a Monitoring Data and reports), when service end carries out the statistics of Monitoring Data at 2:00, service end can be thought and reported the terminal device of Monitoring Data to be online terminal device at 1:30.

Suppose that preset time period is one week, service end is when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up be: the quantity of online terminal device is F1, then the terminal device that this statistics moment is online quantity on year-on-year basis can for the ratio (F1/F2*100%) of the quantity (being assumed to be F2) of online terminal device added up when the quantity of online terminal device of adding up during 2:00 this Monday and 2:00 last Monday; Suppose that server is when 24:00 this Monday, according to the result that Monitoring Data carries out adding up be: the quantity of online terminal device is G1, then the quantity of the terminal device that every day is online chain rate can for the quantity of online terminal device during 24:00 statistics this Monday and upper one day terminal device online when 24:00 adds up the ratio (G1/G2*100%) of quantity (being assumed to be G2).

According to this Monitoring Data, the quantity of statistics start terminal device.

Correspondingly, judge whether this Monitoring Data meets according to statistics pre-conditioned, can comprise:

According to the quantity of start terminal device, whether what judge the quantity of the start terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of start terminal device, judge whether the chain rate of the quantity of the start terminal device of every day reaches chain rate threshold value.

In the embodiment of the present invention, service end can judge according to the situation receiving the Monitoring Data that terminal device reports whether terminal device is start terminal device, namely, when service end is added up according to Monitoring Data, service end can be thought and reports first time in moment to report the terminal device of Monitoring Data for start terminal device in the upper Monitoring Data that this statistics moment is nearest.

Such as, suppose terminal device 0:30 every day, 1:00,1:30 ..., 24:00 carries out a Monitoring Data and reports (per half an hour carries out a Monitoring Data and reports), when service end carries out the statistics of Monitoring Data at 2:00, service end can think 2:00 first time report the terminal device of Monitoring Data (all do not report Monitoring Data time namely at 0:30,1:00,1:30, and reported the terminal device of Monitoring Data when 2:00) for start terminal device.

Suppose that preset time period is one week, service end is when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up be: the quantity of start terminal device is H1, then the start terminal device in this statistics moment quantity on year-on-year basis can for the ratio (H1/H2*100%) of the quantity (being assumed to be H2) of start terminal device added up when the quantity of start terminal device of adding up during 2:00 this Monday and 2:00 last Monday; Suppose that the result that server carries out adding up according to Monitoring Data is: the start terminal device of this Monday (comprises the start terminal device of the start terminal device of 0:00 statistics this Monday, 1:00 statistics ... the start terminal device of 24:00 statistics) quantity be I1, then the chain rate of the quantity of the start terminal device of every day can be the ratio (i.e. I1/I2*100%) of the quantity of start terminal device of this Monday and the quantity (being assumed to be I2) of the start terminal device of upper one day.

According to this Monitoring Data, the quantity of statistics shutdown terminal device.

According to the quantity of shutdown terminal device, whether what judge the quantity of the shutdown terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of shutdown terminal device, judge whether the chain rate of the quantity of the shutdown terminal device of every day reaches chain rate threshold value.

In the embodiment of the present invention, service end can judge according to the situation receiving the Monitoring Data that terminal device reports whether terminal device is shutdown terminal device, namely when service end is added up according to Monitoring Data, service end can be thought and reports the moment not report Monitoring Data in the upper Monitoring Data that this statistics moment is nearest, but reports the upper terminal device once reporting the moment to report Monitoring Data in moment for shutdown terminal device at this.

Such as, suppose terminal device 0:30 every day, 1:00,1:30 ..., 24:00 carries out a Monitoring Data and reports (per half an hour carries out a Monitoring Data and reports), when service end carries out the statistics of Monitoring Data at 2:00, service end can be thought and reported the terminal device of Monitoring Data at 1:30, but does not report the terminal device of Monitoring Data for shutdown terminal device at 2:00.

Suppose that preset time period is one week, service end is when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up be: the quantity of shutdown terminal device is J1, then the shutdown terminal device in this statistics moment quantity on year-on-year basis can for the ratio (J1/J2*100%) of the quantity (being assumed to be J2) of shutdown terminal device added up when the quantity of shutdown terminal device of adding up during 2:00 this Monday and 2:00 last Monday; Suppose that the result that server carries out adding up according to Monitoring Data is: the shutdown terminal device of this Monday (comprises the shutdown terminal device of the shutdown terminal device of 0:00 statistics this Monday, 1:00 statistics ... the shutdown terminal device of 24:00 statistics) quantity be K1, then the chain rate of the quantity of the shutdown terminal device of every day can be the ratio (i.e. K1/K2*100%) of the quantity of shutdown terminal device of this Monday and the quantity (being assumed to be K2) of the shutdown terminal device of upper one day.

As the optional embodiment of another kind, when there is multiple key point, in above-mentioned steps 102, carrying out statistics to Monitoring Data can comprise:

According to Monitoring Data, add up the quantity that abnormal terminal device occurs in identical multiple key point combinations; The combination of this key point comprises at least two key points.

Judge whether the quantity of the terminal device that identical key point combination generation is abnormal reaches threshold value.

In the embodiment of the present invention, key point combination can be pre-set, the combination of this key point comprises at least two key points, as critical file and registry entry are combined as key point, or critical file and environmental variance are combined as key point, or, critical file, registry entry and environmental variance are combined as key point, and in the Monitoring Data reported terminal device, key point anomaly association situation is analyzed, and then determine whether software exception occurs.

For example, comprise registry entry and environmental variance for key point combination, then, when service end is added up Monitoring Data, the quantity that abnormal terminal device occurs simultaneously for registry entry and environmental variance can be added up.Suppose, service end is when 2:00, be: the quantity that abnormal terminal device occurs simultaneously for the registry entry of application software 1 and environmental variance is L1 that then the quantity of abnormal terminal device occurs the combination of service end determination key point is L1 according to the result that the Monitoring Data received carries out adding up.

In the embodiment of the present invention, the combination of multiple different key point can be set, and corresponding different key compositional arranges identical or different threshold value respectively.

Step 104, rule according to setting, carry out corresponding process.

In the embodiment of the present invention, when judging that Monitoring Data meets pre-conditioned according to the statistics of adding up Monitoring Data, the quantity of the current still abnormal terminal device of key point as same in the current statistic moment reach threshold value on year-on-year basis on year-on-year basis, or/and, the chain rate of the quantity of the current still abnormal terminal device of same key point every day reaches chain rate threshold value etc., according to the rule of setting, corresponding process can be carried out, as early warning, report to the police, issue recovery scenario etc.

In the embodiment of the present invention, corresponding same statistics can set multiple threshold values, such as, for the current still abnormal terminal device of current statistic moment same key point quantity on year-on-year basis, multiple threshold value can be set, when judging that Monitoring Data reaches first threshold according to statistics, carry out early warning process; When judging that Monitoring Data reaches Second Threshold according to statistics, carry out alert process.Wherein, first threshold is less than Second Threshold.

In the embodiment of the present invention, when according to statistics, service end judges that Monitoring Data reaches first threshold, can think that software anomaly situation needs to gain attention, but software anomaly situation is not very serious, now, service end carries out early warning process, as sent alarm email to backstage maintainer, after seeing alarm email to make background maintenance personnel, process accordingly according to actual conditions.When according to statistics, service end judges that Monitoring Data reaches Second Threshold, can think that software anomaly situation is more serious, need to process as early as possible, now, service end carries out alert process, as sent alarm message to backstage maintainer or dialing alarm telephone etc., to make background maintenance personnel receive warning information in time, and take treatment measures in time.

As shown in Figure 2, be the schematic flow sheet of the another kind of software anomaly disposal route that the embodiment of the present invention provides, can comprise the following steps:

The Monitoring Data of the key point for software that step 201, receiving terminal apparatus report; Whether the described key point that this Monitoring Data comprises described software there is exception.

Critical file, registry entry, environmental variance.

System file, program file, configuration file.

Step 202, according to Monitoring Data, the statistics same day there is the quantity of abnormal terminal device in same key point.

Step 203, there is the quantity of abnormal terminal device the same day according to same key point, whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the first threshold value on year-on-year basis on year-on-year basis, or whether the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches first ring is compared threshold value; If be judged as YES, go to step 204; Otherwise, go to step 201.

Step 204, there is the quantity of abnormal terminal device the same day according to same key point, whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the second threshold value on year-on-year basis on year-on-year basis, or whether the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches the second chain rate threshold value; If be judged as YES, go to step 205; Otherwise, go to step 206.

In the embodiment of the present invention, in above-mentioned steps 203, what situation about being judged as YES comprised that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the first threshold value on year-on-year basis on year-on-year basis, or, the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches first ring and compares threshold value, or, what every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the first threshold value on year-on-year basis on year-on-year basis, and the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches first ring compares threshold value; Situation about being judged as NO comprises: what every day, the quantity of abnormal terminal device occurred this this key point of statistics moment does not reach the first threshold value on year-on-year basis on year-on-year basis, and the chain rate that every day, the quantity of abnormal terminal device occurred this key point does not reach first ring compares threshold value.

In like manner, in above-mentioned steps 204, what situation about being judged as YES comprised that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the second threshold value on year-on-year basis on year-on-year basis, or, the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches the second chain rate threshold value, or, what every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the second threshold value on year-on-year basis on year-on-year basis, and the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches the second chain rate threshold value; Situation about being judged as NO comprises: what every day, the quantity of abnormal terminal device occurred this this key point of statistics moment does not reach the second threshold value on year-on-year basis on year-on-year basis, and the chain rate that every day, the quantity of abnormal terminal device occurred this key point does not reach the second chain rate threshold value.

Suppose that preset time period is one week, service end is when 2:00 this Monday, according to the result that the Monitoring Data received carries out adding up be: the quantity that abnormal terminal device (when adding up when comprising 2:00 this Monday, abnormal terminal device occurs application software 1 registry entry, and abnormal terminal device occurs application software 1 registry entry added up during 1:00 this Monday) occurred the same day application software 1 registry entry is 10000, then every day this this key point of statistics moment occurred the quantity of abnormal terminal device on year-on-year basis can for this Monday 2:00 statistics application software 1 registry entry to there is the ratio (i.e. 10000/2000*100%=500%) that the quantity (being assumed to be 2000) of abnormal terminal device occurred the same day for abnormal terminal device quantity and application software 1 registry entry that last Monday, 2:00 added up the same day, if preset first on year-on-year basis threshold value be 400%, second on year-on-year basis threshold value be 800%, what then service end judged that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches the first threshold value on year-on-year basis on year-on-year basis, do not reach the second threshold value on year-on-year basis.

Suppose that again service end is when 24:00 this Monday, according to the result (i.e. the statistics on same day this Monday) that Monitoring Data carries out adding up be: application software 1 registry entry the same day abnormal terminal device occurred and (comprises all statistics moment on the same day, i.e. 1:00, 2:00, 24:00, there is abnormal terminal device in application software 1 registry entry of statistics) quantity is 20000, then every day this key point occurred the quantity of abnormal terminal device chain rate can for this Monday 24:00 statistics application software 1 registry entry to there is the quantity that abnormal terminal device occurred the same day still abnormal terminal device quantity and application software 1 registry entry that upper one day, 24:00 added up the same day and (namely went up the statistics on a same day, be assumed to be 5000) ratio (i.e. 20000/5000*100%=400%), suppose that the first ring preset is 300% than threshold value, second chain rate threshold value is 500%, then service end judges that chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches first ring and compares threshold value, do not reach the second chain rate threshold value.

Step 205, carry out early warning process.

Step 206, carry out alert process.

In the embodiment of the present invention, if be judged as YES in above-mentioned steps 203, but when being judged as NO in step 204, service end thinks that software anomaly situation needs to gain attention, but software anomaly situation is not very serious, now, service end carries out early warning process, as sent alarm email to backstage maintainer, after seeing alarm email to make background maintenance personnel, process accordingly according to actual conditions.

If be judged as YES in above-mentioned steps 204, then think that software anomaly situation is more serious, need to process as early as possible, now, service end carries out alert process, as sent alarm message to backstage maintainer or dialing alarm telephone etc., to make background maintenance personnel receive warning information in time, and take treatment measures in time.

As shown in Figure 3, be the schematic flow sheet of the another kind of software anomaly disposal route that the embodiment of the present invention provides, can comprise the following steps:

The Monitoring Data of the key point for software that step 301, receiving terminal apparatus report; Whether the described key point that this Monitoring Data comprises described software there is exception.

Critical file, registry entry, environmental variance.

System file, program file, configuration file.

Step 302, according to Monitoring Data, add up the quantity that abnormal terminal device occurs in identical multiple key points combination; The combination of this key point comprises at least two key points.

Step 303, judge whether the quantity that abnormal terminal device occurs the combination of identical key point reaches threshold value.If be judged as YES, go to step 304; Otherwise, go to step 301.

For example, comprise registry entry and environmental variance for key point combination, then, when service end is added up Monitoring Data, the quantity that abnormal terminal device occurs simultaneously for registry entry and environmental variance can be added up.Suppose, service end is when 2:00, be: the quantity that abnormal terminal device occurs simultaneously for the registry entry of application software 1 and environmental variance is 5000 that then the quantity of abnormal terminal device occurs the combination of service end determination key point is 5000 according to the result that the Monitoring Data received carries out adding up.Suppose that the threshold value preset is 4000, then service end judges that the quantity of the terminal device that identical key point combination generation is abnormal reaches threshold value, suppose that again the threshold value preset is 8000, then service end judges that the quantity of the terminal device that identical key point combination generation is abnormal does not reach threshold value.

Step 304, issue recovery scenario to designated terminal equipment.

In the embodiment of the present invention, when service end judges that the quantity of the terminal device that identical key point combination generation is abnormal exceedes threshold value, abnormal terminal device can be there is and issue recovery scenario in service end to this identical key point combination, the recovery scenario that the abnormal conditions that this recovery scenario can combine for this key point in advance for background maintenance personnel configure, also can be service end to backstage maintainer's early warning or after reporting to the police, the recovery scenario that background maintenance personnel configure according to actual conditions.

As in a kind of optional embodiment, in above-mentioned steps 304, issuing recovery scenario to designated terminal equipment can comprise:

Recovery scenario is issued in the mode of bullet bubble prompting.

Wherein, the recovery scenario that this bullet bubble prompting mode issues comprises the operation steps of carrying out software anomaly reparation according to this recovery scenario, thus make user when receiving the recovery scenario that this issues in the mode of bullet bubble prompting, software anomaly reparation can be carried out according to correct operation steps.

Further, in the embodiment of the present invention, when service end, to judge that Monitoring Data meets according to statistics pre-conditioned, and (there is the terminal device of software anomaly to designated terminal equipment, in flow process as shown in Figure 3 there is abnormal terminal device in the combination of identical key point) issue recovery scenario after, can report Monitoring Data analysis according to this designated terminal equipment further, to judge that whether software anomaly reparation is successful, its specific implementation can comprise the following steps:

Step 11), receive the Monitoring Data of the key point for software that this designated terminal equipment reports.

Step 12), this Monitoring Data is added up, and it is pre-conditioned to judge whether this Monitoring Data meets according to statistics.

Step 13) if meet, according to the rule of setting, carry out respective handling.

Wherein, above-mentioned steps 11) with step 12) concrete treatment scheme see the associated description in above-mentioned steps 101 to step 103, can not repeat them here.

In the embodiment of the present invention, if service end is to after designated terminal equipment issues recovery scenario, the Monitoring Data still reported according to this designated terminal equipment judges software anomaly, threshold value is exceeded as abnormal terminal device quantity occurs the combination of identical key point, then can re-issue new recovery scenario, or take other measures according to actual conditions.

By describing above and can finding out, in the technical scheme that the embodiment of the present invention provides, when the Monitoring Data of the key point for software that receiving terminal apparatus reports, by adding up this Monitoring Data, and it is pre-conditioned to judge whether Monitoring Data meets according to statistics, and then when being judged as YES, corresponding process is carried out according to the regular of setting, achieve and from the angle of the overall situation, the running software situation that different terminal equipment runs is monitored, improve the efficiency that software anomaly finds and processes.

Based on the technical conceive that said method embodiment is identical, the embodiment of the present invention additionally provides a kind of software anomaly treatment facility, can be applied to said method embodiment.

As shown in Figure 4, be a kind of software anomaly treatment facility that the embodiment of the present invention provides, can comprise:

Receiver module 401, for the Monitoring Data of the key point for software that receiving terminal apparatus reports; Whether the described key point that described Monitoring Data comprises described software there is exception;

Statistical module 402, adds up described Monitoring Data;

Judge module 403, pre-conditioned for judging according to statistics whether described Monitoring Data meets;

Processing module 404, for when described judge module 403 is judged as meeting, according to the rule of setting, carries out corresponding process.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, adds up the quantity of the current still abnormal terminal device of same key point;

Described judge module 403 can be specifically for, and according to the quantity of the current still abnormal terminal device of described same key point, whether what judge the quantity of the current still abnormal terminal device of this key point of this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of the current still abnormal terminal device of described same key point, judge whether the chain rate of the quantity of the current still abnormal terminal device of this key point every day reaches chain rate threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, and according to described Monitoring Data, the statistics same day, the quantity of abnormal terminal device occurred same key point;

Described judge module 403 can be specifically for, and the quantity of abnormal terminal device occurred according to described same key point the same day, and whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

There is the quantity of abnormal terminal device according to described same key point the same day, judged whether the chain rate that every day, the quantity of abnormal terminal device occurred this key point reaches chain rate threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, adds up the quantity that abnormal newly-increased terminal device occurs same key point;

Described judge module 403 can be specifically for, judges whether the quantity that abnormal newly-increased terminal device occurs this key point reaches threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point, and the same day, the quantity of abnormal terminal device occurred this key point;

Described judge module 403 can be specifically for, judges whether the quantity of the current still abnormal terminal device of this key point and ratio that the same day, the quantity of abnormal terminal device occurred this key point reach threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, adds up the quantity of current online terminal device;

Described judge module 403 can be specifically for, and according to the quantity of described current online terminal device, whether what judge the quantity of the terminal device that this statistics moment is online reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of described current online terminal device, judge whether the chain rate of the quantity of the terminal device that every day is online reaches chain rate threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, and the quantity of statistics start terminal device;

Described judge module 403 can be specifically for, and according to the quantity of described start terminal device, whether what judge the quantity of the start terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of described start terminal device, judge whether the chain rate of the quantity of the start terminal device of every day reaches chain rate threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, and the quantity of statistics shutdown terminal device;

Described judge module 403 can be specifically for, and according to the quantity of described shutdown terminal device, whether what judge the quantity of the shutdown terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to the quantity of described shutdown terminal device, judge whether the chain rate of the quantity of the shutdown terminal device of every day reaches chain rate threshold value.

In an alternative embodiment, described statistical module 402 can be specifically for, according to described Monitoring Data, adds up the quantity that abnormal terminal device occurs in identical key point combination; Described key point combination comprises at least two key points;

Described judge module 403 can be specifically for, judges whether the quantity that abnormal terminal device occurs the combination of described identical key point reaches threshold value.

In an alternative embodiment, described processing module specifically for, when described judge module is judged as YES, issue recovery scenario to designated terminal equipment.

In an alternative embodiment, described processing module specifically for, with bullet bubble prompting mode issue recovery scenario; Wherein, the recovery scenario that the mode of described bullet bubble prompting issues comprises the operation steps of carrying out software anomaly reparation according to described recovery scenario.

In an alternative embodiment, described key point comprises following one or more:

Critical file, registry entry, environmental variance;

Wherein, described critical file comprises following one or more:

System file, program file, configuration file.

See also Fig. 5, Fig. 5 is the structural representation of another kind of software anomaly treatment facility disclosed in the embodiment of the present invention.Wherein, the software anomaly treatment facility shown in Fig. 5 is that software anomaly treatment facility is as shown in Figure 4 optimized and obtains, and compared with the software anomaly treatment facility shown in Fig. 4, in the software anomaly treatment facility shown in Fig. 5, processing module 404 can comprise:

First processing unit 4041, for when judging that described Monitoring Data reaches first threshold according to statistics, carries out early warning process;

Second processing unit 4042, during for judging that described Monitoring Data reaches Second Threshold according to statistics, carries out alert process;

Wherein, described Second Threshold is greater than first threshold.

Fig. 6 is the structural representation of the another kind of software anomaly treatment facility provided in the embodiment of the present invention.As shown in Figure 6, this software anomaly process comprises: at least one processor 601, such as CPU, at least one user interface 603, storer 604, at least one communication bus 602.Wherein, communication bus 602 is for realizing the connection communication between these assemblies.Wherein, user interface 603 can comprise display screen (Display), keyboard (Keyboard), and optional user interface 603 can also comprise wireline interface, the wave point of standard.Storer 604 can be high-speed RAM storer, also can be non-labile storer (non-volatile memory), such as at least one magnetic disk memory.Storer 604 can also be optionally that at least one is positioned at the memory storage away from aforementioned processor 601.Wherein store batch processing code in storer 604, and processor 601 calls the program code stored in storer 604, for performing following operation:

Described Monitoring Data is added up;

If meet, according to the rule of setting, carry out corresponding process.

In an alternative embodiment, processor 601 calls the program code stored in storer 604 and adds up described Monitoring Data, can specifically comprise:

According to described Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point;

Processor 601 calls the program code stored in storer 604, and to judge whether described Monitoring Data meets according to statistics pre-conditioned, can specifically comprise:

According to the quantity of the current still abnormal terminal device of described same key point, whether what judge the quantity of the current still abnormal terminal device of this key point of this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to described Monitoring Data, the statistics same day there is the quantity of abnormal terminal device in same key point;

The quantity of abnormal terminal device occurred according to described same key point the same day, and whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to described Monitoring Data, add up the quantity that abnormal newly-increased terminal device occurs same key point;

According to described Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point, and the same day there is the quantity of abnormal terminal device in this key point;

According to described Monitoring Data, add up the quantity of current online terminal device;

According to the quantity of described current online terminal device, whether what judge the quantity of the terminal device that this statistics moment is online reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to described Monitoring Data, the quantity of statistics start terminal device;

According to the quantity of described start terminal device, whether what judge the quantity of the start terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

According to described Monitoring Data, the quantity of statistics shutdown terminal device;

According to the quantity of described shutdown terminal device, whether what judge the quantity of the shutdown terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

In an alternative embodiment, when there is multiple key point, processor 601 calls the program code stored in storer 604 and adds up described Monitoring Data, can specifically comprise:

According to described Monitoring Data, add up the quantity that abnormal terminal device occurs in identical key point combination; Described key point combination comprises at least two key points;

Judge whether the quantity of the terminal device that described identical key point combination generation is abnormal reaches threshold value.

In an alternative embodiment, processor 601 calls the program code of storage in storer 604 when judging whether described Monitoring Data meets pre-conditioned, according to the rule of setting, carries out corresponding process, can specifically comprise:

According to the rule of setting, carry out corresponding process,

If judge that described Monitoring Data reaches threshold value according to statistics, issue recovery scenario to designated terminal equipment.

In an alternative embodiment, processor 601 calls the program code stored in storer 604 and issues recovery scenario to designated terminal equipment, comprising:

Recovery scenario is issued in the mode of bullet bubble prompting; Wherein, the recovery scenario that the mode of described bullet bubble prompting issues comprises the operation steps of carrying out software anomaly reparation according to described recovery scenario.

Critical file, registry entry, environmental variance;

Wherein, described critical file comprises following one or more:

System file, program file, configuration file.

The embodiment of the present invention additionally provides a kind of service end, can comprise arbitrary software anomaly treatment facility as Figure 4-Figure 6.

In the description of this instructions, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, to the schematic representation of above-mentioned term not must for be identical embodiment or example.And the specific features of description, structure, material or feature can combine in one or more embodiment in office or example in an appropriate manner.In addition, when not conflicting, the feature of the different embodiment described in this instructions or example and different embodiment or example can carry out combining and combining by those skilled in the art.

In addition, term " first ", " second " only for describing object, and can not be interpreted as instruction or hint relative importance or imply the quantity indicating indicated technical characteristic.Thus, be limited with " first ", the feature of " second " can express or impliedly comprise at least one this feature.In describing the invention, the implication of " multiple " is at least two, such as two, three etc., unless otherwise expressly limited specifically.

Describe and can be understood in process flow diagram or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.

In flow charts represent or in this logic otherwise described and/or step, such as, the sequencing list of the executable instruction for realizing logic function can be considered to, may be embodied in any computer-readable medium, for instruction execution system, device or equipment (as computer based system, comprise the system of processor or other can from instruction execution system, device or equipment instruction fetch and perform the system of instruction) use, or to use in conjunction with these instruction execution systems, device or equipment.With regard to this instructions, " computer-readable medium " can be anyly can to comprise, store, communicate, propagate or transmission procedure for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically (non-exhaustive list) of computer-readable medium comprises following: the electrical connection section (electronic installation) with one or more wiring, portable computer diskette box (magnetic device), random access memory (RAM), ROM (read-only memory) (ROM), erasablely edit ROM (read-only memory) (EPROM or flash memory), fiber device, and portable optic disk ROM (read-only memory) (CDROM).In addition, computer-readable medium can be even paper or other suitable media that can print described program thereon, because can such as by carrying out optical scanning to paper or other media, then carry out editing, decipher or carry out process with other suitable methods if desired and electronically obtain described program, be then stored in computer memory.

Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the special IC of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.

Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.

The above-mentioned storage medium mentioned can be ROM (read-only memory), disk or CD etc.Although illustrate and describe embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, revises, replace and modification.

Claims

1. a software anomaly disposal route, is characterized in that, comprising:

The Monitoring Data of the key point for software that receiving terminal apparatus reports, whether the described key point that described Monitoring Data comprises described software there is exception;

Described Monitoring Data is added up;

If meet, according to the rule of setting, carry out corresponding process.

2. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

Described to judge whether described Monitoring Data meets according to statistics pre-conditioned, comprising:

3. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

4. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

5. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

6. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

7. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

8. the method for claim 1, is characterized in that,

Described described Monitoring Data to be added up, comprising:

9. the method for claim 1, is characterized in that, when there is multiple key point,

Described described Monitoring Data to be added up, comprising:

10. the method for claim 1, is characterized in that, reaches if described, according to the rule of setting, carries out corresponding process, comprising:

If judge that described Monitoring Data reaches first threshold according to statistics, carry out early warning process;

If judge that described Monitoring Data reaches Second Threshold according to statistics, carry out alert process;

Wherein, described Second Threshold is greater than first threshold.

11. the method for claim 1, is characterized in that, reach if described, according to the rule of setting, carry out corresponding process, comprising:

12. methods as claimed in claim 11, is characterized in that, describedly issue recovery scenario to designated terminal equipment, comprising:

13. methods as described in any one of claim 1-12, is characterized in that, described key point comprises following one or more:

Critical file, registry entry, environmental variance;

Wherein, described critical file comprises following one or more:

System file, program file, configuration file.

14. 1 kinds of software anomaly treatment facilities, is characterized in that, comprising:

Statistical module, adds up described Monitoring Data;

15. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point;

Described judge module specifically for, according to the quantity of the current still abnormal terminal device of described same key point, whether what judge the quantity of the current still abnormal terminal device of this key point of this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

16. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, the statistics same day there is the quantity of abnormal terminal device in same key point;

Described judge module specifically for, the quantity of abnormal terminal device occurred according to described same key point the same day, and whether what judge that every day, the quantity of abnormal terminal device occurred this this key point of statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

17. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, add up the quantity that abnormal newly-increased terminal device occurs same key point;

Described judge module specifically for, judge whether the quantity that abnormal newly-increased terminal device occurs this key point reaches threshold value.

18. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, add up the quantity of the current still abnormal terminal device of same key point, and the same day there is the quantity of abnormal terminal device in this key point;

Described judge module specifically for, judge whether the quantity of the current still abnormal terminal device of this key point and ratio that the same day, the quantity of abnormal terminal device occurred this key point reach threshold value.

19. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, add up the quantity of current online terminal device;

Described judge module specifically for, according to the quantity of described current online terminal device, whether what judge the quantity of the terminal device that this statistics moment is online reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

20. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, statistics start terminal device quantity;

Described judge module specifically for, according to the quantity of described start terminal device, whether what judge the quantity of the start terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

21. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, statistics shutdown terminal device quantity;

Described judge module specifically for, according to the quantity of described shutdown terminal device, whether what judge the quantity of the shutdown terminal device in this statistics moment reaches threshold value on year-on-year basis on year-on-year basis; Or/and,

22. equipment as claimed in claim 14, is characterized in that,

Described statistical module specifically for, according to described Monitoring Data, add up the quantity that abnormal terminal device occurs the combination of identical key point; Described key point combination comprises at least two key points;

Described judge module specifically for, judge whether the quantity that abnormal terminal device occurs the combination of described identical key point reaches threshold value.

23. equipment as claimed in claim 14, it is characterized in that, described processing module comprises:

First processing unit, for when judging that described Monitoring Data reaches first threshold according to statistics, carries out early warning process;

Second processing unit, during for judging that described Monitoring Data reaches Second Threshold according to statistics, carries out alert process;

Wherein, described Second Threshold is greater than first threshold.

24. equipment as claimed in claim 14, is characterized in that,

Described processing module specifically for, when described judge module is judged as YES, issue recovery scenario to designated terminal equipment.

25. equipment as claimed in claim 24, is characterized in that,

Described processing module specifically for, with bullet bubble prompting mode issue recovery scenario; Wherein, the recovery scenario that the mode of described bullet bubble prompting issues comprises the operation steps of carrying out software anomaly reparation according to described recovery scenario.

26. equipment as described in any one of claim 14-25, is characterized in that, described key point comprises following one or more:

Critical file, registry entry, environmental variance;

Wherein, described critical file comprises following one or more:

System file, program file, configuration file.

27. 1 kinds of service ends, is characterized in that, comprise the software anomaly treatment facility described in any one of claim 14-26.