CN106529292A - Virus checking and killing method and apparatus - Google Patents
Virus checking and killing method and apparatus Download PDFInfo
- Publication number
- CN106529292A CN106529292A CN201610932195.2A CN201610932195A CN106529292A CN 106529292 A CN106529292 A CN 106529292A CN 201610932195 A CN201610932195 A CN 201610932195A CN 106529292 A CN106529292 A CN 106529292A
- Authority
- CN
- China
- Prior art keywords
- flash
- file
- flash file
- hook
- hooking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 121
- 238000000034 method Methods 0.000 title claims abstract description 80
- 238000009877 rendering Methods 0.000 claims abstract description 26
- 230000006870 function Effects 0.000 claims description 100
- 238000012544 monitoring process Methods 0.000 claims description 13
- 230000004048 modification Effects 0.000 claims description 8
- 238000012986 modification Methods 0.000 claims description 8
- 231100000252 nontoxic Toxicity 0.000 description 3
- 230000003000 nontoxic effect Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000035939 shock Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Information Transfer Between Computers (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a virus checking and killing method and apparatus, and relates to the technical field of data security. flash viruses of applications in a browser, office and the like can be checked and killed, so that the security of the browser, the office and even a whole terminal device is ensured. The method mainly comprises the steps of mounting a hook for a specific function of an application, wherein the specific function is used for obtaining a flash file; intercepting the flash file obtained through the specific function by utilizing the hook; obtaining a scanning result of virus scanning performed on the flash file; and if the scanning result is that viruses do not exist in the flash file, sending the flash file to a flash component for performing rendering. The method and the apparatus are mainly suitable for a scene in which the flash file is output in the browser or the office.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a virus searching and killing method and device.
Background
flash is a standard of interactive vector graphics and web animation, and people can make various animation works with peculiar effects by using flash and apply the animation works to web pages or office (such as word). Therefore, designers of pages made using flash are increasing.
But also because of the popularity of flash, more and more hackers use the existing vulnerabilities of flash software to insert viruses therein that destroy computer functions or destroy data, thereby compromising user interest. Therefore, how to check and kill the flash virus is an urgent need to be solved.
Disclosure of Invention
In view of this, the method and the device for searching and killing viruses provided by the invention can search and kill the flash viruses in the application programs such as the browser and the office, thereby ensuring the safety of the application programs and even the whole terminal equipment.
The purpose of the invention is realized by adopting the following technical scheme:
in one aspect, the present invention provides a method for killing viruses, comprising:
hooking a hook for a specific function of an application program, wherein the specific function is used for acquiring a flash file;
intercepting a flash file obtained through the specific function by using the hook;
acquiring a scanning result of virus scanning on the flash file;
and if the scanning result shows that no virus exists in the flash file, sending the flash file to a flash component for rendering.
Optionally, the hooking hook for a specific function of an application includes:
when the application program is a browser, hooking the hook for a data downloading callback function for downloading a flash file in the browser;
when the application program is office, hooking the hook for a function used for reading a flash file in the office; wherein, a flash component is embedded in the office.
Optionally, when the application is a browser, hooking the hook for a data download callback function used for downloading a flash file in the browser includes:
when the application program for outputting and displaying the rendered flash file is also a browser, hooking the hook for a data downloading callback function for downloading the flash file in the browser;
and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
Optionally, when the application is office, the intercepting, by using the hook, the flash file obtained by the specific function includes:
monitoring whether the office calls the function for reading the flash file to read flash data or not by using the hook;
when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
Optionally, the method further includes:
and if the scanning result shows that the flash file contains viruses, the flash file is not sent to the flash component for rendering, and data interception prompt information is output.
Optionally, the method further includes:
if the scanning result is that the flash file contains viruses and/or suspicious data, acquiring the URL of the flash file;
recording basic attribute information of the flash file according to the URL of the flash file, wherein the basic attribute information comprises parameters in the URL of the flash file and parameter values corresponding to the parameters;
and sending the basic attribute information to a cloud server.
Optionally, the obtaining the URL of the flash file includes:
acquiring a window handle of a browser of a process where a current thread is located;
acquiring a source code of a webpage corresponding to the window handle;
acquiring a URL (uniform resource locator) meeting a flash address format from the source code;
and determining the URL meeting the flash address format as the URL of the flash file.
Optionally, the obtaining of the scan result of performing virus scanning on the flash file includes:
acquiring a scanning result of a scanned flash file stored in a cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path;
matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache;
if the matching is successful, determining a virus determination result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned;
and if the matching fails, sending the flash file to be scanned to a cloud server for virus scanning, and receiving a scanning result fed back by the cloud server.
In another aspect, the present invention provides a device for virus killing, including:
the hooking unit is used for hooking a hook for a specific function of an application program, and the specific function is used for acquiring a flash file;
the capturing unit is used for capturing the flash file obtained by the specific function by using the hook hooked by the hooking unit;
the acquisition unit is used for acquiring a scanning result of virus scanning of the flash file acquired by the interception unit;
and the sending unit is used for sending the flash file to a flash component for rendering when the scanning result obtained by the obtaining unit indicates that no virus exists in the flash file.
Optionally, the hitching unit includes:
the first hooking module is used for hooking the hook for a data downloading callback function used for downloading a flash file in the browser when the application program is the browser;
the second hooking module is used for hooking the hook for the function used for reading the flash file in the office when the application program is the office; wherein, a flash component is embedded in the office.
Optionally, the first hooking module is configured to hook the hook for a data download callback function used for downloading a flash file in a browser when an application program for outputting and displaying a rendered flash file is the browser; and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
Optionally, the capture unit is configured to monitor, when the application program is an office, whether the office calls the function for reading the flash file to read flash data by using the hook; when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
Optionally, the apparatus further comprises:
the intercepting unit is used for not sending the flash file to the flash component for rendering when the scanning result shows that the flash file contains viruses;
and the output unit is used for outputting the data interception prompt information.
Optionally, the obtaining unit is further configured to obtain a URL of the flash file when the scanning result indicates that the flash file contains viruses and/or suspicious data;
the device further comprises:
the recording unit is used for recording basic attribute information of the flash file according to the URL of the flash file acquired by the acquisition unit, wherein the basic attribute information comprises parameters in the URL of the flash file and parameter values corresponding to the parameters;
the sending unit is further configured to send the basic attribute information to a cloud server.
Optionally, the obtaining unit includes:
the first acquisition module is used for acquiring a window handle of a browser of a process where a current thread is located;
the first obtaining module is further used for obtaining a source code of a webpage corresponding to the window handle;
the first obtaining module is further used for obtaining a URL meeting a flash address format from the source code;
and the first determining module is used for determining the URL meeting the flash address format acquired by the first acquiring module as the URL of the flash file.
Optionally, the obtaining unit includes:
the second acquisition module is used for acquiring the scanning result of the scanned flash file stored in the cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path;
the matching module is used for matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache;
the second determining module is used for determining a virus determining result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned when the matching is successful;
the sending module is used for sending the flash file to be scanned to a cloud server for virus scanning when matching fails;
and the receiving module is used for receiving the scanning result fed back by the cloud server.
By means of the technical scheme, the method and the device for virus searching and killing, provided by the invention, can be used for intercepting the flash files in advance through hooks hooked at specific functions of an application program (such as a browser or office) before the flash files are sent to the flash components for rendering, scanning the viruses of the flash files, sending the flash files to the flash components for rendering when the flash files are determined to be safe and non-toxic, and outputting and displaying the flash files based on the browser or the office, so that the safety of the browser, the office and even the whole terminal equipment is ensured.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for virus killing according to an embodiment of the present invention;
FIG. 2 is a flow chart of another virus searching and killing method according to an embodiment of the present invention;
FIG. 3 is a block diagram illustrating an apparatus for virus killing according to an embodiment of the present invention;
fig. 4 is a block diagram illustrating another apparatus for virus killing according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In practical applications, some modes are often used to enable a terminal device of a user to locally obtain some executable files (for example, files with suffixes of exe), flash files, and the like, for example, the files may be transmitted to the terminal device where the user is located through an instant messaging tool, may also be induced to download to the terminal device where the user is located through a downloading or sharing mode, may also be transmitted to the terminal device where the user is located through an illegal mode such as Trojan horse hanging or virus transmission, and may also be transmitted to the terminal device where the user is located when files in a mobile storage device are copied. However, the acquired files may be safe files and may be dangerous files. Especially, in the process of online payment by using an application program such as a browser, a user is likely to receive a dangerous file carrying viruses transmitted by a malicious third party. Therefore, in order to check and kill viruses in time and thus ensure the security of the terminal device, an embodiment of the present invention provides a method for checking and killing viruses, as shown in fig. 1, the method mainly includes:
101. hooks are hooked for specific functions of an application.
The specific function is used to obtain a flash file, where the flash file may be a file in a swf (shock wave flash) format, and may also be a file in other formats such as a flash, and the like, and is not limited herein. After hooking a hook for a specific function of an application program, the hook may monitor data generated by the specific function, so that before feeding back the generated flash files to a flash component for rendering, the flash files may be intercepted first, and step 103 and step 104 are executed.
In practical application, when a browser is required to download a flash file, a hook needs to be hooked for the browser; when the office file needs to be read, the hook needs to be hooked for the office.
Specifically, the following two situations are mainly involved for downloading the flash file by using the browser:
(1) and when the application program for outputting and displaying the rendered flash file is a browser, hooking the hook for a data downloading callback function for downloading the flash file in the browser.
Specifically, the method may include hooking a hook for an export function, i.e., registry bind status callback, of urlmon.dll, monitoring whether a flash × ocx registers a callback object with urlmon.dll, and hooking a hook for an ondatavailable function (i.e., data download callback function) of the IBindStatusCallback interface when the flash × ocx registers the callback object with urlmon.dll is detected, so as to wait for downloading of a flash file (e.g., swf file) by monitoring the ondatavailable function.
It should be added that, in practical applications, the data structure of urlmon.dll in different versions of browsers may be different, so that the specific function of the hook changes. However, the function of the finally hooked function must be a function for downloading a flash file.
(2) When an application program for outputting and displaying the rendered flash file is an office and a URL (Uniform Resource Locator) for acquiring the flash file is embedded in the office, hooking the hook for a data download callback function for downloading the flash file in the browser.
In addition, the following matters are mainly involved for the need of reading the flash file by using office:
if the flash component is embedded in the office, the rendered flash file needs to be output by using the office, and a hook is hooked for a function used for reading the flash file in the office in order to monitor reading of the flash file; then, monitoring whether the office calls the function for reading the flash file or not by using the hook; when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the whole flash file.
Specifically, hooks may be hooked on iclasfactory-great instance functions of factory class objects of flash × ocx, so as to monitor creation of flash objects through the hooks; when a flash object is created, hooking a hook for a load function of an IPersistStreamInit interface so as to monitor whether the flash object loads an embedded flash file in the implementation of the load function through the hook; when the flash object loads the embedded flash file, hooking a hook for a read function of the IPersist stream interface so as to monitor the reading of the flash data by the read function through the hook.
102. And intercepting the flash file obtained by the specific function by using the hook.
In practical application, the client can monitor dangerous processes in a login process or a payment process through a preset process list; or monitoring the files transmitted in the login process or the payment process through a preset safe file list; or monitoring the browser calling behavior in the login process or the payment process; or monitoring the calling of the keyboard input content in the login process or the payment process; or monitoring the data object transmitted by the client in the login process or the payment process, for example, when the client is monitored to transmit data related to login or payment to an object unrelated to the login process or the payment process, the transmitted data object should be intercepted; or monitoring the opened web pages in the login process or the payment process, for example, in the login process or the payment process, the payment web pages that the user may open are similar to the real payment web pages that are forged by a malicious third party, and therefore the opened web pages need to be monitored. When monitoring files such as executable files, the real-time downloading condition of the files can be monitored, and the real-time running condition of the files when being started and after being started can be monitored.
After hooking a hook for a data downloading callback function of urlmon. dll in a browser, data downloading can be monitored through the hook, whether a currently downloaded file is a flash file or not is determined through information such as a filename suffix of the downloaded file, and when the currently downloaded file is determined to be the flash file, the downloaded file is intercepted.
After a hook is hooked for a function used for reading a flash file in the office, reading of data can be monitored through the hook, and when the flash file is determined to be read, the read flash file is intercepted.
103. And acquiring a scanning result of virus scanning on the flash file.
When the viruses are scanned, the client side can be used for local scanning, and the flash file can also be sent to the cloud server for scanning. In addition, when scanning, the used virus scanning engine may be a script scanning engine or other engines.
In practical applications, the flash file is similar to the script file, and some script statements may be contained in the flash file. Therefore, when the flash file is scanned, the script scanning engine can be used for scanning so as to analyze the static characteristics of the flash file and judge whether viruses are contained in the flash file.
The script scanning engine is used for detecting whether the script to be detected belonging to the script type carries viruses or not according to the preset virus sample characteristics corresponding to the script type.
Generally, the script type and the script scan engine are in a one-to-one correspondence relationship, that is: one type of script corresponds to one script scan engine. For example, a JS (JavaScript ) type Script corresponds to a JS Script scan engine, a VBS (Microsoft Visual Basic Script Editon, Microsoft Visual Basic Script version), an HTML (HyperText Markup Language) type Script corresponds to an HTML Script scan engine, and the like. Wherein the flash file is similar to the JS-type script, so the JS script scan engine can be used to scan the flash file.
104. And if the scanning result shows that no virus exists in the flash file, sending the flash file to a flash component for rendering.
When the flash file is determined to have no virus, the flash file can be determined to be a safe file, so that the flash file can be sent to a flash component for rendering, and output and display are carried out in a browser or office; when the flash file is determined to contain the virus, in order to avoid harm caused by a browser, office and even the whole terminal equipment, the flash file can be directly intercepted without being sent to a flash component for rendering, and data interception prompt information is output to prompt a user that data is intercepted and cannot be displayed.
It should be noted that the embodiment of the present invention may be applied to both an open-source browser and a non-open-source browser, and for a developer implementing the technical solution, the authority of the browser to which the developer faces is not limited.
The method for checking and killing the viruses provided by the embodiment of the invention can intercept the flash files in advance through hooks hooked at specific functions of an application program (such as a browser or office) before the flash files are sent to the flash component for rendering, and utilize a flash scanning engine to perform virus scanning on the flash files, and when the flash files are determined to be safe and non-toxic, the flash files are sent to the flash component for rendering and output and display based on the browser or office, so that the safety of the browser, the office and even the whole terminal equipment is ensured.
Further, according to the embodiment shown in fig. 1, another embodiment of the present invention further provides a method for virus killing, as shown in fig. 2, the method mainly includes:
201. hooks are hooked for specific functions of an application.
For the related introduction in this step, please refer to the related description in step 101 corresponding to fig. 1, and this step is not repeated.
202. And intercepting the flash file obtained by the specific function by using the hook.
For the related introduction in this step, please refer to the related description in step 102 corresponding to fig. 1, and this step is not repeated.
203. And acquiring a scanning result of virus scanning on the flash file.
In the step 103, when the flash is scanned for viruses, the flash file may be scanned by the client, or the flash file may be sent to the cloud server for scanning. In practical applications, there may be various policies regarding client and cloud server scanning:
strategy one: after obtaining a flash file, firstly judging whether the size of the flash file is smaller than or equal to a preset threshold value; if the size of the flash file is smaller than or equal to the preset threshold value, performing virus scanning on the flash file; if the size of the flash file is larger than the preset threshold value, the flash file is sent to a cloud server for scanning, so that a scanning result of the cloud server on the flash file is obtained. The preset threshold is an empirical value obtained from practical experience, and may be 300KB, for example.
When the data volume of the flash file is large, the flash file is sent to the cloud server to be scanned, so that the pressure of the terminal device can be relieved, and after the cloud server finishes scanning, if viruses are contained, basic attribute information of the viruses can be directly recorded, and other terminals in the network can be scanned timely.
And (2) strategy two: in practical application, the same flash file is often downloaded within a preset time period, so that in order to improve scanning efficiency, the following scheme can be adopted:
acquiring a scanning result of a scanned flash file stored in a cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path; matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache; if the matching is successful, determining a virus determination result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned; and if the matching fails, sending the flash file to be scanned to a cloud server for virus scanning, and receiving a scanning result fed back by the cloud server.
The successful matching means that the file attribute information of the flash file to be scanned is completely the same as the file attribute information in the cache, and the file size, the file modification time and the file path are the same.
204. If the scanning result shows that no virus exists in the flash file, the flash file is sent to a flash component for rendering; and if the scanning result shows that the flash file contains viruses, the flash file is not sent to the flash component for rendering, and data interception prompt information is output.
For the related introduction in this step, please refer to the related description in step 104 corresponding to fig. 1, and this step is not repeated.
205. And if the scanning result shows that the flash file contains viruses and/or suspicious data, acquiring the URL of the flash file.
After determining that the flash file contains viruses and/or suspicious data, in order to prevent other terminals from being infected by the viruses and further determine whether the suspicious data are viruses or not, the basic attribute information of the flash file can be sent to the cloud server, so that the cloud server can check and kill the viruses in the other terminals according to the basic attribute information, and the URL of the flash file is continuously scanned according to the basic attribute information so as to determine whether the URL is a malicious URL or not, thereby performing secondary identification on the suspicious data. The basic attribute information of the flash file comprises parameters in the URL of the flash file and parameter values corresponding to the parameters. For example, the parameters involved mainly include: operating system version, application name, flash version, flash type, flash MD5(Message Digest Algorithm 5), and virus name, etc.
In the process of acquiring the basic attribute information of the flash file, the URL of the flash file needs to be acquired first, and then the basic attribute information of the flash file is acquired according to the URL. The specific implementation manner of obtaining the URL of the flash file can be divided into the following:
(a) if the rendered flash file is output and displayed based on the browser, a window handle of the browser of a process where the current thread is located needs to be acquired first; then acquiring a source code of a webpage corresponding to the window handle; acquiring a URL (uniform resource locator) meeting a flash address format from the source code; and finally, determining the URL meeting the flash address format as the URL of the flash file.
The flash address format is as follows: (1) URL ends with the suffix of flash file, e.g. with swf; or (2) the file name of the file stored locally ends with the suffix of the flash file, for example, the file name with the suffix of.swf.
(b) If the URL for acquiring the flash file is embedded in the office, the rendered flash file is output based on the office, and the URL embedded in the office may be directly determined as the URL of the flash file.
(c) If the flash component is embedded in the office, the rendered flash file is output based on the office, and the local path for reading the flash file can be determined as the URL of the flash file.
206. And recording the basic attribute information of the flash file according to the URL of the flash file.
After the URL of the flash file is obtained, the URL may be analyzed, and each parameter and the corresponding parameter value may be obtained therefrom and recorded.
207. And sending the basic attribute information to a cloud server.
After determining the basic attribute information of the flash file, sending the basic attribute information to a cloud server; after receiving the information, the cloud server can further analyze the suspicious data according to the basic attribute information to determine whether the suspicious data is a virus or not, and can also check and kill the virus for other terminals in the network based on the basic attribute information, so that the safety of the whole network is ensured.
It is necessary to supplement that, when only suspicious data exists in the flash file and no virus exists, if the basic attribute information of the flash file is sent to the cloud server for secondary authentication, when the cloud server determines that the URL of the flash file is a secure website according to the basic attribute information, a data security indication may be sent to the client; when the cloud server determines that the URL of the flash file is a malicious URL (that is, the suspicious data is a virus) according to the basic attribute information, the cloud server may send a data danger indication and a virus killing indication to the client.
In addition, the cloud server side can pre-store the corresponding relation between the file characteristic value and the security level information. The security level information determined by the cloud server may be self-defined, for example, the security level information may be divided in a "security, unknown, suspicious, highly suspicious, and malicious" hierarchical division manner, or may be divided in a "primary, secondary, tertiary, and quaternary" hierarchical division manner, and a specific division manner is not limited.
Illustratively, the level settings may be as follows: when the file characteristic value is (10, 20), the file characteristic value is a security level; when the file characteristic value is [20, 40], the file characteristic value is an unknown grade; when the file characteristic value is (40, 50), the file characteristic value is a suspicious grade; when the file characteristic value is [50, 60], the file is in a highly suspicious level; and when the file characteristic value is more than 60, the file is in a malicious level.
The virus checking and killing method provided by the embodiment of the invention not only can ensure that the flash file rendered by the flash component is safe, but also can record the basic attribute information when the scanned flash file contains viruses or suspicious data, and feed the basic attribute information back to the cloud server, so that the cloud server can further analyze the suspicious data according to the basic attribute information, and perform virus checking and killing operation on other terminals in the network according to the basic attribute information, thereby ensuring the network safety.
Further, according to the above method embodiment, another embodiment of the present invention further provides a device for virus killing, as shown in fig. 3, the device mainly includes: hooking unit 31, intercepting unit 32, acquiring unit 33, and sending unit 34. Wherein,
a hooking unit 31, configured to hook a hook for a specific function of an application, where the specific function is used to obtain a flash file;
an intercepting unit 32, configured to intercept, by using the hook hooked by the hooking unit 31, a flash file obtained through the specific function;
an obtaining unit 33, configured to obtain a scanning result of virus scanning on the flash file obtained by the capturing unit 32;
a sending unit 34, configured to send the flash file to a flash component for rendering when the scanning result obtained by the obtaining unit 33 is that the flash file does not contain viruses.
Further, as shown in fig. 4, the hitch unit 31 includes:
a first hooking module 311, configured to hook the hook for a data download callback function used for downloading a flash file in a browser when the application program is the browser;
a second hooking module 312, configured to hook the hook for a function used for reading a flash file in an office when the application is the office; wherein, a flash component is embedded in the office.
Further, the first hooking module 311 is configured to hook the hook for a data download callback function used for downloading a flash file in a browser when an application program for outputting and displaying a rendered flash file is the browser; and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
Further, the interception unit 32 is configured to, when the application program is an office, monitor whether the office calls the function for reading the flash file to read flash data by using the hook; when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
Further, as shown in fig. 4, the apparatus further includes:
the intercepting unit 35 is configured to not send the flash file to the flash component for rendering when the scanning result indicates that the flash file contains a virus;
and the output unit 36 is used for outputting data interception prompt information.
Further, as shown in fig. 4, the obtaining unit 33 is further configured to obtain a URL of the flash file when the scanning result indicates that the flash file contains viruses and/or suspicious data;
the device further comprises:
a recording unit 37, configured to record basic attribute information of the flash file according to the URL of the flash file acquired by the acquiring unit 33, where the basic attribute information includes a parameter in the URL of the flash file and a parameter value corresponding to the parameter;
the sending unit 34 is further configured to send the basic attribute information to a cloud server.
Further, as shown in fig. 4, the acquiring unit 33 includes:
the first obtaining module 331, configured to obtain a window handle of a browser in a process where a current thread is located;
the first obtaining module 331 is further configured to obtain a source code of a webpage corresponding to the window handle;
the first obtaining module 331 is further configured to obtain a URL that meets a flash address format from the source code;
a first determining module 332, configured to determine the URL that meets the flash address format and is acquired by the acquiring module 331 as the URL of the flash file.
Further, as shown in fig. 4, the acquiring unit 33 includes:
a second obtaining module 333, configured to obtain a scanning result of a scanned flash file stored in a cache, where the scanning result includes file attribute information of the scanned flash file and a virus determination result for determining whether the flash file includes a virus and/or suspicious data, and the file attribute information includes a file size, a file modification time, and a file path;
the matching module 334 is configured to match file attribute information of the flash file to be scanned with file attribute information stored in the cache;
a second determining module 335, configured to determine, when matching is successful, a virus determination result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned;
a sending module 336, configured to send the flash file to be scanned to a cloud server for virus scanning when matching fails;
the receiving module 337 is configured to receive a scanning result fed back by the cloud server.
The device for virus searching and killing provided by the embodiment of the invention can capture the flash files in advance through the hooks hooked at the specific functions of the application program (such as a browser or office) before sending the flash files to the flash component for rendering, utilize the flash scanning engine to perform virus scanning on the flash files, send the flash files to the flash component for rendering when the flash files are determined to be safe and non-toxic, and output and display based on the browser or the office, thereby ensuring the safety of the browser, the office and even the whole terminal equipment.
The embodiment of the invention also provides the following scheme:
a1, a method for killing viruses, the method comprising:
hooking a hook for a specific function of an application program, wherein the specific function is used for acquiring a flash file;
intercepting a flash file obtained through the specific function by using the hook;
acquiring a scanning result of virus scanning on the flash file;
and if the scanning result shows that no virus exists in the flash file, sending the flash file to a flash component for rendering.
A2, according to the method in A1, the hooking a hook for a specific function of an application program includes:
when the application program is a browser, hooking the hook for a data downloading callback function for downloading a flash file in the browser;
when the application program is office, hooking the hook for a function used for reading a flash file in the office; wherein, a flash component is embedded in the office.
A3, according to the method in A2, the hooking the hook for the data downloading callback function used for downloading the flash file in the browser comprises:
when an application program for outputting and displaying the rendered flash file is a browser, hooking the hook for a data downloading callback function for downloading the flash file in the browser;
and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
A4, according to the method of a2, when the application is office, the intercepting, with the hook, the flash file obtained by the specific function includes:
monitoring whether the office calls the function for reading the flash file to read flash data or not by using the hook;
when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
A5, the method of A1, the method further comprising:
and if the scanning result shows that the flash file contains viruses, the flash file is not sent to the flash component for rendering, and data interception prompt information is output.
A6, the method of A1, the method further comprising:
if the scanning result is that the flash file contains viruses and/or suspicious data, acquiring the URL of the flash file;
recording basic attribute information of the flash file according to the URL of the flash file, wherein the basic attribute information comprises parameters in the URL of the flash file and parameter values corresponding to the parameters;
and sending the basic attribute information to a cloud server.
A7, according to the method in A6, the obtaining the URL of the flash file includes:
acquiring a window handle of a browser of a process where a current thread is located;
acquiring a source code of a webpage corresponding to the window handle;
acquiring a URL (uniform resource locator) meeting a flash address format from the source code;
and determining the URL meeting the flash address format as the URL of the flash file.
A8, the method according to any one of A1 to A7, wherein the obtaining the scan result of the virus scan on the flash file comprises:
acquiring a scanning result of a scanned flash file stored in a cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path;
matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache;
if the matching is successful, determining a virus determination result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned;
and if the matching fails, sending the flash file to be scanned to a cloud server for virus scanning, and receiving a scanning result fed back by the cloud server.
B9, a device for virus killing, the device comprising:
the hooking unit is used for hooking a hook for a specific function of an application program, and the specific function is used for acquiring a flash file;
the capturing unit is used for capturing the flash file obtained by the specific function by using the hook hooked by the hooking unit;
the acquisition unit is used for acquiring a scanning result of virus scanning of the flash file acquired by the interception unit;
and the sending unit is used for sending the flash file to a flash component for rendering when the scanning result obtained by the obtaining unit indicates that no virus exists in the flash file.
B10, the device according to B9, the hitching unit comprising:
the first hooking module is used for hooking the hook for a data downloading callback function used for downloading a flash file in the browser when the application program is the browser;
the second hooking module is used for hooking the hook for the function used for reading the flash file in the office when the application program is the office; wherein, a flash component is embedded in the office.
B11, according to the device of B10, the first hooking module is used for hooking the hook for a data downloading callback function for downloading a flash file in a browser when an application program for outputting and displaying a rendered flash file is the browser; and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
B12, the device according to B10, wherein the interception unit is used for monitoring whether the office calls the function for reading the flash file to read flash data or not by using the hook when the application program is the office; when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
B13, the apparatus of B9, the apparatus further comprising:
the intercepting unit is used for not sending the flash file to the flash component for rendering when the scanning result shows that the flash file contains viruses;
and the output unit is used for outputting the data interception prompt information.
B14, the apparatus according to B9, wherein the obtaining unit is further configured to obtain the URL of the flash file when the scan result is that the flash file contains viruses and/or suspicious data;
the device further comprises:
the recording unit is used for recording basic attribute information of the flash file according to the URL of the flash file acquired by the acquisition unit, wherein the basic attribute information comprises parameters in the URL of the flash file and parameter values corresponding to the parameters;
the sending unit is further configured to send the basic attribute information to a cloud server.
B15, the apparatus according to B14, the obtaining unit includes:
the first acquisition module is used for acquiring a window handle of a browser of a process where a current thread is located;
the first obtaining module is further used for obtaining a source code of a webpage corresponding to the window handle;
the first obtaining module is further used for obtaining a URL meeting a flash address format from the source code;
and the first determining module is used for determining the URL meeting the flash address format acquired by the first acquiring module as the URL of the flash file.
B16, the apparatus according to any one of B9 to B15, the obtaining unit comprising:
the second acquisition module is used for acquiring the scanning result of the scanned flash file stored in the cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path;
the matching module is used for matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache;
the second determining module is used for determining a virus determining result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned when the matching is successful;
the sending module is used for sending the flash file to be scanned to a cloud server for virus scanning when matching fails;
and the receiving module is used for receiving the scanning result fed back by the cloud server.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the method and apparatus for virus killing according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (10)
1. A method for killing a virus, the method comprising:
hooking a hook for a specific function of an application program, wherein the specific function is used for acquiring a flash file;
intercepting a flash file obtained through the specific function by using the hook;
acquiring a scanning result of virus scanning on the flash file;
and if the scanning result shows that no virus exists in the flash file, sending the flash file to a flash component for rendering.
2. The method of claim 1, wherein hooking hooks for specific functions of an application comprises:
when the application program is a browser, hooking the hook for a data downloading callback function for downloading a flash file in the browser;
when the application program is office, hooking the hook for a function used for reading a flash file in the office; wherein, a flash component is embedded in the office.
3. The method of claim 2, wherein hooking the hook for a data download callback function in a browser for downloading a flash file when the application is the browser comprises:
when an application program for outputting and displaying the rendered flash file is a browser, hooking the hook for a data downloading callback function for downloading the flash file in the browser;
and when the application program for outputting and displaying the rendered flash file is office and URL for acquiring the flash file is embedded in the office, hooking the hook for the data downloading callback function for downloading the flash file in the browser.
4. The method according to claim 2, wherein when the application program is office, the intercepting, with the hook, the flash file obtained by the specific function comprises:
monitoring whether the office calls the function for reading the flash file to read flash data or not by using the hook;
when the function for reading the flash file reads the flash data, caching the read flash data until the calling is finished to obtain the flash file.
5. The method of claim 1, further comprising:
and if the scanning result shows that the flash file contains viruses, the flash file is not sent to the flash component for rendering, and data interception prompt information is output.
6. The method of claim 1, further comprising:
if the scanning result is that the flash file contains viruses and/or suspicious data, acquiring the URL of the flash file;
recording basic attribute information of the flash file according to the URL of the flash file, wherein the basic attribute information comprises parameters in the URL of the flash file and parameter values corresponding to the parameters;
and sending the basic attribute information to a cloud server.
7. The method of claim 6, wherein the obtaining the URL of the flash file comprises:
acquiring a window handle of a browser of a process where a current thread is located;
acquiring a source code of a webpage corresponding to the window handle;
acquiring a URL (uniform resource locator) meeting a flash address format from the source code;
and determining the URL meeting the flash address format as the URL of the flash file.
8. The method according to any one of claims 1 to 7, wherein the obtaining of the scan result of the virus scan on the flash file comprises:
acquiring a scanning result of a scanned flash file stored in a cache, wherein the scanning result comprises file attribute information of the scanned flash file and a virus determination result for determining whether the flash file comprises a virus and/or suspicious data, and the file attribute information comprises file size, file modification time and file path;
matching the file attribute information of the flash file to be scanned with the file attribute information stored in the cache;
if the matching is successful, determining a virus determination result corresponding to the successfully matched file attribute information as a scanning result of the flash file to be scanned;
and if the matching fails, sending the flash file to be scanned to a cloud server for virus scanning, and receiving a scanning result fed back by the cloud server.
9. A device for killing a virus, the device comprising:
the hooking unit is used for hooking a hook for a specific function of an application program, and the specific function is used for acquiring a flash file;
the capturing unit is used for capturing the flash file obtained by the specific function by using the hook hooked by the hooking unit;
the acquisition unit is used for acquiring a scanning result of virus scanning of the flash file acquired by the interception unit;
and the sending unit is used for sending the flash file to a flash component for rendering when the scanning result obtained by the obtaining unit indicates that no virus exists in the flash file.
10. The apparatus of claim 9, wherein the hitch unit comprises:
the first hooking module is used for hooking the hook for a data downloading callback function used for downloading a flash file in the browser when the application program is the browser;
the second hooking module is used for hooking the hook for the function used for reading the flash file in the office when the application program is the office; wherein, a flash component is embedded in the office.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610932195.2A CN106529292A (en) | 2016-10-31 | 2016-10-31 | Virus checking and killing method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610932195.2A CN106529292A (en) | 2016-10-31 | 2016-10-31 | Virus checking and killing method and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106529292A true CN106529292A (en) | 2017-03-22 |
Family
ID=58292435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610932195.2A Pending CN106529292A (en) | 2016-10-31 | 2016-10-31 | Virus checking and killing method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106529292A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108829708A (en) * | 2018-05-02 | 2018-11-16 | 广州金山安全管理系统技术有限公司 | File security judgment method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN102375946A (en) * | 2010-08-19 | 2012-03-14 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage trojan |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
| US8578499B1 (en) * | 2011-10-24 | 2013-11-05 | Trend Micro Incorporated | Script-based scan engine embedded in a webpage for protecting computers against web threats |
| CN103679014A (en) * | 2012-09-04 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Method and device for intercepting processing of webpage malicious Flash |
| CN103678692A (en) * | 2013-12-26 | 2014-03-26 | 北京奇虎科技有限公司 | Safety scanning method and device of downloaded file |
| CN103716394A (en) * | 2013-12-26 | 2014-04-09 | 北京奇虎科技有限公司 | Downloaded file management method and device |
| CN104766014A (en) * | 2015-04-30 | 2015-07-08 | 安一恒通(北京)科技有限公司 | Method and system used for detecting malicious website |
| US20150199514A1 (en) * | 2014-01-10 | 2015-07-16 | Bitdefender IPR Management Ltd. | Computer Security Systems And Methods Using Virtualization Exceptions |
-
2016
- 2016-10-31 CN CN201610932195.2A patent/CN106529292A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN102375946A (en) * | 2010-08-19 | 2012-03-14 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage trojan |
| US8578499B1 (en) * | 2011-10-24 | 2013-11-05 | Trend Micro Incorporated | Script-based scan engine embedded in a webpage for protecting computers against web threats |
| CN102542201A (en) * | 2011-12-26 | 2012-07-04 | 北京奇虎科技有限公司 | Detection method and system for malicious codes in web pages |
| CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
| CN103679014A (en) * | 2012-09-04 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Method and device for intercepting processing of webpage malicious Flash |
| CN103678692A (en) * | 2013-12-26 | 2014-03-26 | 北京奇虎科技有限公司 | Safety scanning method and device of downloaded file |
| CN103716394A (en) * | 2013-12-26 | 2014-04-09 | 北京奇虎科技有限公司 | Downloaded file management method and device |
| US20150199514A1 (en) * | 2014-01-10 | 2015-07-16 | Bitdefender IPR Management Ltd. | Computer Security Systems And Methods Using Virtualization Exceptions |
| CN104766014A (en) * | 2015-04-30 | 2015-07-08 | 安一恒通(北京)科技有限公司 | Method and system used for detecting malicious website |
Non-Patent Citations (1)
| Title |
|---|
| 冯焕: "Flash重定向关键技术研究与Flash容器实现", 《中国知网》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108829708A (en) * | 2018-05-02 | 2018-11-16 | 广州金山安全管理系统技术有限公司 | File security judgment method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112910857B (en) | Method for verifying security | |
| US9306968B2 (en) | Systems and methods for risk rating and pro-actively detecting malicious online ads | |
| CN102982284B (en) | For the scanning device of rogue program killing, cloud management equipment and method and system | |
| US10904286B1 (en) | Detection of phishing attacks using similarity analysis | |
| US8850585B2 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
| US8474048B2 (en) | Website content regulation | |
| CN107209831B (en) | System and method for identifying network attacks | |
| CN103034808B (en) | Scan method, equipment and system and cloud management and equipment | |
| CN103117893B (en) | A kind of monitoring method of network access behavior, device and a kind of client device | |
| CN102916937B (en) | A kind of method, device and client device tackling web page attacks | |
| WO2012065551A1 (en) | Method for cloud security download | |
| JP2018502351A (en) | RASP for script language | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| CN103618626A (en) | Method and system for generating safety analysis report on basis of logs | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| EP3021550A1 (en) | System and method for identifying internet attacks | |
| CN108156121B (en) | Traffic hijacking monitoring method and device and traffic hijacking alarm method and device | |
| CN110968872A (en) | File vulnerability detection processing method and device, electronic equipment and storage medium | |
| CN111163094B (en) | Network attack detection method, network attack detection device, electronic device, and medium | |
| CN102984134A (en) | Safe defense system | |
| CN106407815B (en) | Vulnerability detection method and device | |
| CN105959280B (en) | The hold-up interception method and device of malice network address | |
| CN106529292A (en) | Virus checking and killing method and apparatus | |
| CN112528286A (en) | Terminal device security detection method, associated device and computer program product | |
| CN108512818B (en) | Method and device for detecting vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170322 |