CN107193600A - A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall - Google Patents
A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall Download PDFInfo
- Publication number
- CN107193600A CN107193600A CN201710373698.5A CN201710373698A CN107193600A CN 107193600 A CN107193600 A CN 107193600A CN 201710373698 A CN201710373698 A CN 201710373698A CN 107193600 A CN107193600 A CN 107193600A
- Authority
- CN
- China
- Prior art keywords
- patch
- equipment
- plug
- unit
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
- G06F9/44526—Plug-ins; Add-ons
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
The embodiment of the invention discloses a kind of patch management method, the first equipment, the first plug-in unit, system and fire wall, for automating, complete the patch monitoring of computer to precision and manage, farthest reduce due to without the security risk that installation patch is brought in time.Present invention method includes:Receive the patch information of the second equipment of the first plug-in unit transmission;Judge whether second equipment lacks the first patch according to the patch information;If missing, first patch is pushed to first plug-in unit, to cause first plug-in unit to install first patch in second equipment.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of patch management method, the first equipment, the first plug-in unit,
System and fire wall.
Background technology
In general, it is to install security patch to solve one of security breaches, the most effectual way for reducing security risk.So
And, for enterprise, especially large enterprise, due to the complexity of network environment, security patch is often installed not in time, very
To patch is fitted without at all, it is easier to produce potential safety hazard.
Illustrate current enterprise facing challenges on security patch problem is installed by taking enterprise network DMZ models as an example below:
Enterprise can divide DMZ regions and corporate intranet region by using fire wall.Wherein, the website clothes in DMZ regions
The DMZ servers such as business device, mail server have public network IP, can be accessed by public network, and DMZ servers may network,
It may not network.At most of conditions, in order to improve security, reduction telefile is held comprising leak, without echo order
The utilization of the leaks such as row leak, while avoiding passing through the risk of the Internet download Malware, DMZ servers are not networked, still
Not networking can cause the security update such as operating system, application system not download.Therefore, network manager can be periodically or non-periodically
Give DMZ servers networking, with carry out patch renewal or manually upload install security patch, it is ensured that server security, but also because
This consumes manpower, safeguards cumbersome.
Corporate intranet region then can probably be divided into two main regions, and one is Office Area, and another is core data
Area.Wherein, the office PC positioned at Office Area can be networked, but can not directly be accessed by public network, then the safety for PC of handling official business is asked
Topic is mainly that security update, security patch are not installed and cause the safety problem of passive attack in time, such as receives fishing
Mail.However, because enterprise staff thinks that the office PC of oneself is in Intranet, and there are many safety means and peace in enterprise again
Full strategy, typically seldom can track and install newest security patch, and network manager can not also force each enterprise staff
Security patch must be installed, so that result in Office Area computer patch installs uneven phenomenon, potential safety hazard is added.
And the server of Core part by office PC due to that can only be accessed, then the probability attacked can be much smaller, but is due to
Do not network, cause security patch to update and security patch is installed not in time or never, once then attacker shoots Intranet, it will very
Easily there is safety problem.
The content of the invention
The embodiments of the invention provide a kind of patch management method, the first equipment, the first plug-in unit, system and fire wall, use
In automation, complete to precision the patch monitoring of computer and manage, farthest reduce because no install in time is mended
The security risk that fourth is brought.
In view of this, first aspect present invention provides a kind of patch management method, applied to the first equipment, it may include:
Receive the patch information of the second equipment of the first plug-in unit transmission;
Judge whether the second equipment lacks the first patch according to patch information;
If missing, the first patch is pushed to the first plug-in unit, to cause the first plug-in unit to install the first benefit on the second device
Fourth.
Further, after judging whether the second equipment lacks the first patch according to patch information, to the first plug-in unit
Push before the first patch, this method also includes:
Whether if the second equipment lacks the first patch, it is important patch to detect the first patch;
If so, the step of then triggering to the first plug-in unit the first patch of push;
If it is not, then warning message is pushed to the first plug-in unit, to cause the first plug-in unit according to warning message to the second equipment
User is pointed out.
Further, after warning message is pushed to the first plug-in unit, this method also includes:
If the first patch is installed in user's selection, the step of triggering to the first plug-in unit the first patch of push.
Further, before the patch information for the second equipment that the first plug-in unit is sent is received, this method also includes:
Detect whether occur default trigger event;
Instructed if so, then sending first to the first plug-in unit, first instructs the patch information for the equipment of acquisition request second.
Further, presetting trigger event includes following at least one:
Patch library occurs renewal, system and occurs leak, system generation security incident.
Further, before the first patch is pushed to the first plug-in unit, this method also includes:
When the second equipment is correspondence with foreign country state, the second instruction is issued, second instructs pair for intercepting the second equipment
Outer communication.
Second aspect of the present invention provides a kind of patch management method, applied to the first plug-in unit, it may include:
Obtain the patch information of the second equipment;
Patch information is sent to the first equipment, to cause the first equipment to judge whether the second equipment lacks according to patch information
The first patch is lost, if so, then pushing the first patch to the first plug-in unit;
Receive the first patch of the second equipment push;
First patch is installed in the second equipment.
Further, before the patch information of the second equipment is obtained, this method also includes:
Detect whether occur default trigger event;
If so, the step of then triggering obtains the patch information of the second equipment.
Further, presetting trigger event includes following at least one:
First equipment initiates network request, the first equipment to outer net and installs the first application, the generation security incident of the first equipment.
Further, before the patch information of the second equipment is obtained, this method also includes:
The first instruction of the first equipment transmission is received, first instructs the patch information for the equipment of acquisition request first.
Further, this method also includes:
If the first equipment detects that the first patch is not important patch, the warning message of the first equipment push is received;
The user of the second equipment is pointed out according to warning message.
Third aspect present invention provides a kind of first equipment, it may include:
Receiving module, the patch information for receiving the second equipment that the first plug-in unit is sent;
Judge module, for judging whether the second equipment lacks the first patch according to patch information;
First pushing module, for when the second equipment lacks the first patch, then pushing the first patch to the first plug-in unit, with
So that the first plug-in unit installs the first patch on the second device.
Further, the first equipment also includes:
First detection module, for whether when the second equipment lacks the first patch, then it to be important benefit to detect the first patch
Fourth;
First trigger module, for when the first patch is important patch, then triggering the first pushing module to the first plug-in unit
Push the first patch;
Second pushing module, for when the first patch is not important patch, then pushing warning message to the first plug-in unit, with
So that the first plug-in unit is pointed out the user of the second equipment according to warning message.
Further, the first equipment also includes:
Second trigger module, for when the first patch is installed in user's selection, then triggering the first pushing module and being inserted to first
Part pushes the first patch.
Further, the first equipment also includes:
Second detection module, for detecting whether occurring default trigger event;
Sending module, for when occurring default trigger event, then sending first to the first plug-in unit and instructing, the first instruction is used
In the patch information of the equipment of acquisition request second.
Further, presetting trigger event includes following at least one:
Patch library occurs renewal, system and occurs leak, system generation security incident.
Further, the first equipment also includes:
Module is issued, for when the second equipment is correspondence with foreign country state, issuing the second instruction, second instructs for intercepting
The correspondence with foreign country of second equipment.
Fourth aspect present invention provides a kind of first plug-in unit, it may include:
Acquisition module, the patch information for obtaining the second equipment;
Sending module, for patch information to be sent to the first equipment, to cause the first equipment to be judged according to patch information
Whether the second equipment lacks the first patch, if so, then pushing the first patch to the first plug-in unit;
First receiving module, for receiving the first patch that the second equipment is pushed;
Module is installed, for the first patch to be installed on into the second equipment.
Further, the first plug-in unit also includes:
Detection module, for detecting whether occurring default trigger event;
Trigger module, the patch letter of the second equipment is obtained for when occurring default trigger event, then triggering acquisition module
Breath.
Further, presetting trigger event includes following at least one:
First equipment initiates network request, the first equipment to outer net and installs the first application, the generation security incident of the first equipment.
Further, the first plug-in unit also includes:
Second receiving module, for receiving the first instruction that the first equipment is sent, first instructs for acquisition request first
The patch information of equipment.
Further, the first plug-in unit also includes:
3rd receiving module, for when it is not important patch that the first equipment, which detects the first patch, then receiving the first equipment
The warning message of push;
Reminding module, for being pointed out according to warning message the user of the second equipment.
Fifth aspect present invention provides a kind of patch management systems, including the first equipment of third aspect present invention and the 4th
First plug-in unit of aspect.
Sixth aspect present invention provides a kind of fire wall, includes the first equipment of third aspect present invention.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the present invention, by the linkage of the first plug-in unit and the first equipment, what the first equipment can be sent according to the first plug-in unit
The patch information of second equipment judges whether the second equipment lacks the first patch, to lack the situation of the first patch in the second equipment
Under, the first patch that the first plug-in unit can be pushed according to the first equipment is installed, it follows that the first plug-in unit can be to second
The patch installation situation of equipment is monitored, it is possible to realize that the second equipment is lacked first mends by the detection of the first equipment
The timely installation of fourth, strengthens the network security of the second equipment.
Brief description of the drawings
Fig. 1 is the first equipment and UNICOM's schematic diagram of the first plug-in unit in the embodiment of the present invention;
Fig. 2 is patch management method one embodiment schematic diagram in the embodiment of the present invention;
Fig. 3 is another embodiment schematic diagram of patch management method in the embodiment of the present invention;
Fig. 4 is another embodiment schematic diagram of patch management method in the embodiment of the present invention;
Fig. 5 is another embodiment schematic diagram of patch management method in the embodiment of the present invention;
Fig. 6 is first equipment one embodiment schematic diagram in the embodiment of the present invention;
Fig. 7 is another embodiment schematic diagram of the first equipment in the embodiment of the present invention;
Fig. 8 is another embodiment schematic diagram of the first equipment in the embodiment of the present invention;
Fig. 9 is another embodiment schematic diagram of the first equipment in the embodiment of the present invention;
Figure 10 is first plug-in unit one embodiment schematic diagram in the embodiment of the present invention;
Figure 11 is another embodiment schematic diagram of the first plug-in unit in the embodiment of the present invention;
Figure 12 is another embodiment schematic diagram of the first plug-in unit in the embodiment of the present invention;
Figure 13 is another embodiment schematic diagram of the first plug-in unit in the embodiment of the present invention.
Embodiment
The embodiments of the invention provide a kind of patch management method, the first equipment, the first plug-in unit, system and fire wall, use
In automation, complete to precision the patch monitoring of computer and manage, farthest reduce because no install in time is mended
The security risk that fourth is brought.
In order that those skilled in the art more fully understand the present invention program, below to the technology in the embodiment of the present invention
Scheme is clearly and completely described, it is clear that described embodiment is only the embodiment of a part of the invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, should all belong to the scope of protection of the invention.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing, "
The (if present)s such as four " are for distinguishing similar object, without for describing specific order or precedence.It should manage
The data that solution is so used can be exchanged in the appropriate case, so that the embodiments described herein can be with except illustrating herein
Or the order beyond the content of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that
Covering is non-exclusive to be included, for example, the process, method, product or the equipment that contain series of steps or unit are not necessarily limited to clearly
Those steps or unit listed to Chu, but may include not list clearly or for these processes, method, product or
The intrinsic other steps of equipment or unit.
It is understood that operation sequence, especially Windows, various softwares, game, if being write in former company procedure
Member has found that software has problem or leak (being commonly called as BUG), then user may be made to occur interference work when using system or software
The problem of making or be harmful to safe, then program that some are inserted into source program can be write out to solve BUG, these are used to solve
Certainly BUG program is patch.
Herein, the computer and firewall gateway in enterprise are all interconnected, in order to ensure enterprises
Network security, as shown in Figure 1, it is assumed that the first plug-in unit is probe probe, then can be in each computer (i.e. the second equipment)
One probe of upper installation, by taking enterprise network DMZ models as an example, you can with the DMZ servers in the DMZ regions of enterprise, enterprise
The Office Area of web area office PC and Core part server be the second equipment, probe is installed thereon respectively,
Probe in second equipment can be linked with the first equipment (being assumed to be Security Patch Module, SPM), be led to
Cross probe and SPM UNICOM, SPM may rely on the patch library of self maintained, and (i.e. second sets to all computers in enterprise
It is standby) patch installation situation carry out unified monitoring and management.Wherein, SPM can be independent device, or fire wall
A components, do not limit herein.
For ease of understanding, formula description is interacted to the idiographic flow in the embodiment of the present invention below, referring to Fig. 2, this
Patch management method one embodiment includes in inventive embodiments:
201st, the first plug-in unit obtains the patch information of the second equipment;
In the present embodiment, the first plug-in unit can be installed in the second equipment, and the first plug-in unit can be with the equipment of active collection second
Operating system and software installation situation, type, version, patch installation situation etc., wherein, the first plug-in unit can be by second
The patch installation situation of equipment, i.e. patch information carry out record storage, to need to giving the correct time in the first equipment, can obtain the
The patch information of two equipment.
Wherein, the first plug-in unit can with real-time collecting or the patch information of the equipment of timed collection second, meanwhile, the first plug-in unit can
The patch information of the second equipment is obtained with timing acquisition or not timing, for example, the first plug-in unit can be collected one time the every 2 hours
The patch information of two equipment, it is possible to the newest patch information of second equipment was obtained every 3 hours, is not limited herein specifically
It is fixed.
It is understood that collection of first plug-in unit to the patch information of the second equipment can also be carried out simultaneously with acquisition,
Only the patch information of the second equipment can just be received when needing to report the patch information of the second equipment to the first equipment
Collection, collects and is retrieved as same action, situation about being stored in the absence of the patch information to the second equipment, is inserted with reducing first
The live load of part.In actual applications, the acquisition modes of the patch information of the second equipment can be carried out according to actual conditions
Set, do not limit herein specifically.
202nd, the first plug-in unit sends patch information to the first equipment;
In the present embodiment, the first plug-in unit is obtained after the patch information of the second equipment, can be sent patch information to first
Equipment.
203rd, the first equipment judges whether the second equipment lacks the first patch according to patch information, if so, then performing step
204, if it is not, then performing step 206;
In the present embodiment, the first plug-in unit sends patch information to the first equipment, and the first equipment can receive the patch
Information, it is possible to judge whether the second equipment lacks the first patch according to the patch information.
Specifically, the network security in order to ensure enterprise, realizing can be provided with effective management to patch, the first equipment
Patch library, the first equipment can realize the renewal that management and control and real-time or timing are carried out to patch library, and the patch library can include
All kinds of patches that each type operating system, application server software, browser and application software etc. can be installed, with enterprise
In the case of all computer non-networked, the patch installation to all computers of enterprise also disclosure satisfy that.
In the present embodiment, the first equipment is received after the patch information of the second equipment of the first plug-in unit transmission, can be used
Patch detecting and alarm, carries out contrasting detection by the patch information and patch library, may thereby determine that whether the second equipment lacks benefit
Exist in fourth storehouse but uninstalled first patch of the second equipment.
In actual applications, computer environment is extremely complex, and can be stored with all kinds of calculating in the patch library of the first equipment
Machine, different editions, different configuration etc. are used for all kinds of patches for meeting different demands, and by the patch information and benefit of the second equipment
Fourth storehouse is carried out after contrasting detection, if the first patch of all missings of the second equipment is installed on into the second equipment, the second equipment is not
Necessarily just become safer.If on the contrary, being mounted with out-of-date, unnecessary, even problematic patch, second can be given on the contrary
Equipment belt carrys out risk, and is suitable for the patch of the second equipment of certain configuration, may be not suitable for the second of another configuration
The patch of equipment, the patch for being such as adapted to DMZ servers is not necessarily suitable for PC of handling official business.In addition, the patch of same numbering can
Miscellaneous editions can occur, the patch of such as different editions may be applied to different configuration of computer, use legal Windows
The second apparatus suggested use Windows Update, or use third party software.Therefore, optionally, by the second equipment
Patch information and patch library when carrying out contrasting detection, the conditions such as configuration, the model of the second equipment can be considered, in patch
Filter out and be suitable for after the patch of the second equipment in storehouse, then the patch information of the second equipment with these is suitable for the second equipment
Patch carries out contrasting detection, to detect whether the second equipment lacks the first patch.
204th, the first equipment pushes the first patch to the first plug-in unit;
In the present embodiment, if the first equipment judges that the second equipment lacks the first patch, the first equipment according to patch information
The first patch can be pushed to the first plug-in unit.
Specifically, in the case where the second equipment lacks the first patch, in order to avoid the second equipment is in the situation of non-networked
The installation of the first patch can not be carried out down, or enterprise work personnel do not carry out the hair of the phenomenon of the installation of the first patch actively
Raw, the first patch stored in patch library actively can be directly pushed to the first plug-in unit by the first equipment, to cause the first plug-in unit
The first patch can automatically be installed on the second device, be advantageously implemented the first equipment to all computers in enterprise
Safety management, is reduced because patch installs the potential safety hazard do not installed not in time or and brought.
205th, the first patch is installed in the second equipment by the first plug-in unit;
In the present embodiment, the first equipment is pushed after the first patch to the first plug-in unit, and the first plug-in unit can receive first benefit
Fourth, it is possible to which the first patch is directly mounted in the second equipment.To prevent the second equipment from being caused due to the first patch of missing
Network security.
Further, in the present embodiment, the first plug-in unit is received after the first patch of the first equipment push, can also be to the
One patch carries out selective installation, i.e., to or need not be not suitable for the patch installed in the first patch, can also without installation,
With abundant strengthen that the benefit that the first patch is brought is installed, Intelligent Optimal selection is not limited specifically herein.
206th, the first device end flow.
In the present embodiment, if the first equipment judges that the second equipment does not lack the first patch according to patch information, then meaning
The second equipment to have installed or need not, be not suitable for that the first patch is installed, then can terminate stream without other operations
Journey.
In the present embodiment, by the linkage of the first plug-in unit and the first equipment, the first equipment can be sent according to the first plug-in unit
The patch information of the second equipment judge whether the second equipment lacks the first patch, to lack the feelings of the first patch in the second equipment
Under condition, the first patch that the first plug-in unit can be pushed according to the first equipment be installed, it follows that the first plug-in unit can be to the
The patch installation situation of two equipment is monitored, it is possible to realize the second equipment is lacked first by the detection of the first equipment
The timely installation of patch, strengthens the network security of the second equipment.
It is understood that in the present embodiment, the first plug-in unit to the first equipment except that actively can report the second equipment
Patch information, the patch information of the second equipment can also be reported by the equipment of trend first, is illustrated separately below:
Referring to Fig. 3, another embodiment of patch management method includes in the embodiment of the present invention:
301st, the first equipment detects whether occur default trigger event, if so, step 302 is then performed, if it is not, then performing step
Rapid 308;
In the present embodiment, for the security mechanism of further perfect enterprise network, the first equipment actively can be set to second
Standby patch information is obtained, i.e. the first equipment can detect whether occur default trigger event, to occur default triggering
During event, the active obtaining of the patch information to the second equipment can be triggered.
Specifically, the second equipment can be defined or to the judgement mark of default trigger event to presetting trigger event in advance
Standard is stored, to be capable of detecting whether to occur default trigger event.Wherein, the default trigger event can include but is not limited to
Patch library occurs renewal, system and occurs leak, system generation security incident, for example, patch A upgrades to patch B in patch library, again
Such as, urgent or important patch etc. is found.
It is understood that the first equipment timing or can detect whether to occur default triggering thing in real time in the present embodiment
Part, is not limited specifically herein.
302nd, the first equipment sends first to the first plug-in unit and instructed;
In the present embodiment, if default trigger event occurs for the detection of the first equipment, first can be sent to the first plug-in unit and referred to
Order.Wherein, the first instruction can be used for the patch information of the equipment of acquisition request second.
In actual applications, if detecting the default trigger event of generation, meaning there may exist causes certain in enterprise
The safety problem of the computer of one or more, then in order to guarantee network security, the first equipment can be actively to the second equipment
Patch information obtained, to detect whether the second equipment lacks the first patch, then the first equipment can be sent out to the first plug-in unit
The first instruction is sent, to indicate that the first plug-in unit can be reported the patch information of the second equipment of acquisition.
It is understood that in the present embodiment, the first equipment can not also detect whether occur default trigger event
In the case of, regularly send first to the first plug-in unit and instruct, with the patch information of the equipment of active obtaining second, to the benefit of the second equipment
Fourth installation situation is monitored and managed, so as to be conducive to the feelings in the patch information of the non-equipment of active reporting second of the first plug-in unit
Under condition, the safety of the second equipment can be further ensured.
303rd, the first plug-in unit obtains the patch information of the second equipment;
In the present embodiment, the first equipment is sent after the first instruction to the first plug-in unit, and the first plug-in unit can receive first finger
Order, the first plug-in unit can obtain the patch information of the second equipment according to the first of reception the instruction.
In actual applications, the first plug-in unit can timing or not timing, the patch information for obtaining the second equipment on one's own initiative, and
Mode based on timing or not timing, the patch information that the first plug-in unit again can be passively to the second equipment is obtained.This reality
Apply in example, when the first plug-in unit receives the first instruction, that is, it is the patch for passively obtaining the second equipment to mean the first plug-in unit
Information.
Based on this, in the present embodiment, the patch that the first plug-in unit can passively, actively with passively in combination to the second equipment
Information is obtained, i.e. the patch information that the first plug-in unit can not be actively to the second equipment is reported, and is only received and is come from
In after the second instruction of the first equipment, the acquisition of the patch information to the second equipment can be just triggered, or, the first plug-in unit is fixed
When or while sporadically obtain the patch information of the second equipment, if receiving the second instruction of the first equipment transmission, also may be used
Obtained to report with the patch information to the second equipment.
Step 304 in the present embodiment is identical with the step 202 in embodiment illustrated in fig. 2, and here is omitted.
305th, the first equipment judges whether the second equipment lacks the first patch according to patch information, if so, then performing step
306, if it is not, then performing step 308;
Step 305 in the present embodiment implements step 203 in embodiment to step 205 phase to step 307 and Fig. 2
Together, here is omitted.
308th, the first device end flow.
In the present embodiment, if the first equipment is not detected by the default trigger event of generation, then can without other operations,
Terminate flow.It is understood that in actual applications, the first equipment can still receive the second of the first plug-in unit active reporting
The patch information of equipment is simultaneously detected accordingly, is not limited herein.
In the present embodiment, if the first equipment judges that the second equipment does not lack the first patch according to patch information, then meaning
The second equipment to have installed or need not, be not suitable for that the first patch is installed, then can terminate stream without other operations
Journey.
Referring to Fig. 4, another implementation of patch management method includes in the embodiment of the present invention:
401st, the first plug-in unit detects whether occur default trigger event, if so, step 402 is then performed, if it is not, then performing step
Rapid 408;
In the present embodiment, after the first plug-in unit is installed in the second equipment, the first plug-in unit can be detected in the second equipment side
Whether trigger event is preset in generation, when occurring default trigger event, can report the patch information of the second equipment to first
Equipment, is conducive to preventing a certain patch of the second equipment from installing the network security do not installed a certain patch not in time or and caused and asking
Topic.
Specifically, the first plug-in unit can be defined or to the judgement mark of default trigger event to presetting trigger event in advance
Standard is stored, can detect whether the second equipment occurs default trigger event.Wherein, the default trigger event can include
But it is not limited to the first equipment and initiates network request, the application of the first equipment installation first, the generation security incident of the first equipment to outer net.
For example, office PC request online, the server of interior web area install a certain software, DMZ servers by fire wall attack defending
Module is detected to be attempted and is carried out attacking etc. using high-risk leak.
It is understood that in the present embodiment the first plug-in unit can timing or detect whether the second equipment side is sent out in real time
Raw default trigger event, is not limited specifically herein.
402nd, the first plug-in unit obtains the patch information of the second equipment;
In the present embodiment, if the first plug-in unit detects the second equipment and occurs default trigger event, it can be determined for compliance with matching somebody with somebody
The trigger condition put, so as to obtain the patch information of the second equipment.
Step 403 in the present embodiment is identical with the step 202 in embodiment illustrated in fig. 2, and here is omitted.
404th, the first equipment judges whether the second equipment lacks the first patch according to patch information, if so, then performing step
405, if it is not, then performing step 407;
Step 404 in the present embodiment implements step 203 in embodiment to step 205 phase to step 406 and Fig. 2
Together, here is omitted.
407th, the first device end flow;
In the present embodiment, if the first equipment judges that the second equipment does not lack the first patch according to patch information, then meaning
The second equipment to have installed or need not, be not suitable for that the first patch is installed, then can terminate stream without other operations
Journey.
408th, the first plug-in unit terminates flow.
In the present embodiment, if the first plug-in unit is not detected by the default trigger event of generation, then can without other operations,
Terminate flow.It is understood that in actual applications, the first equipment can still receive the first finger of the first equipment transmission
Order, to report the patch information of the second equipment according to the first instruction so that the first equipment is carried out to the patch information of the second equipment
Corresponding detection, is not limited herein.
It is understood that the load in order to reduce the first plug-in unit, further to the first patch can be detected, with true
Whether fixed first patch is that necessity installs patch, specifically described below:
Referring to Fig. 5, another embodiment of patch management method includes in the embodiment of the present invention:
Step 501 in the present embodiment is identical to step 202 with the step 201 in embodiment illustrated in fig. 2 to step 502,
Here is omitted.
503rd, the first equipment judges whether the second equipment lacks the first patch according to patch information, if so, then performing step
504, if it is not, then performing step 511;
Step 503 in the present embodiment is identical with the step 203 in embodiment illustrated in fig. 2, and here is omitted.
504th, the first equipment detects whether the first patch is important patch, if it is not, step 505 is then performed, if so, then performing
Step 509;
In the present embodiment, the first equipment detects that the second equipment is lacked after the first patch according to patch library, can be further
First patch is analyzed, that is, whether the first patch for detecting missing is important patch that the second equipment has excessive risk.
Specifically, the first patch, which can tackle leak present in a certain class computer in enterprise, can preferably optimize this
The performance of class computer.In general, it is divided into according to the big I of its influence:1st, for the first patch of high-risk leak, due to
High-risk leak may be utilized by wooden horse, virus, then should be repaired immediately;2nd, the first patch updated for software security, is used for
Repair the severe safety leak of some softwares, it is proposed that repair immediately;3rd, for the first patch of optional high-risk leak, this kind of the
One patch may cause computer and software not to use normally after installing, and should select with caution;4th, for other and feature more
The first new patch, this kind of first patch is mainly used in more new system or the function of software, can selectively pacified as needed
Dress;5th, the first invalid patch, such as the first patch out of date, these first patches are main probably due to do not install in time, after
Substituted again by other patches, without installing again, the first patch and for example ignored, these first patches are not suitable for current system
Environment, has and for example shielded patch, because not supporting the reason such as operating system or current system environment by intelligent shielding.
Based on the above-mentioned explanation to the first patch, in actual applications, the first equipment determines the second equipment in patch library
After first patch of missing, the first patch can be further analyzed for the above-mentioned patch of which kind, to determine the first patch
Importance, that is, exclude the patch installed in the first patch not necessarily in the second equipment, and the first such as invalid patch is optional
Functional first patch etc..
It is understood that in the present embodiment, because the demand for security of all computers in enterprise differs, then in analysis
During the importance of the first patch, it can be detected on the basis of the demand for security according to corresponding second equipment of the first patch.Together
When, the classification of the first patch is except the content of described above, in actual applications, can also be using other modes, such as by the
One patch carries out the setting of the order of severity according to installation requirements, is such as divided into urgent, important, warning according to the order of severity, notes four
After kind, the order of severity of the first patch can be compared with the order of severity set, and be urgent, important by the order of severity
The first patch be defined as importance patch, specific mode classification is not limited herein.
It should be noted that in the present embodiment, further the first patch of analysis whether be the second equipment important patch
When, the content illustrated based on step 203 in embodiment illustrated in fig. 2, the first invalid patch can be without considering.
505th, the first equipment pushes warning message to the first plug-in unit;
In the present embodiment, if the first equipment detects that the first patch of the second equipment missing is not important patch, then meaning
The first patch not to be eager to install or can not install, but for the sake of security, the first equipment can be pushed to the first plug-in unit and warned
Information is accused, to allow the first plug-in unit to be pointed out to user, and whether the decision of the first patch will be installed second is given and sets
Standby user.
506th, the first plug-in unit is pointed out the user of the second equipment according to warning message;
In the present embodiment, the first equipment is pushed after warning message to the first plug-in unit, and the first plug-in unit can receive the warning letter
Breath, it is possible to pointed out according to the user of the warning message to the second equipment, such as prompting patch of user first is not carried out certainly
It is dynamic to install, it may result in the second equipment and there is potential safety hazard.
Specifically, the first plug-in unit can be pointed out in the way of such as in the second equipment output warning message to user,
And can be in the second equipment output selection information, so that user selects the processing mode to this prompting, as selection ignores first
Patch, or the first patch is installed.After user makes corresponding selection, the first plug-in unit can obtain user and be selected for this
And the operational order inputted, it is possible to the selection of user is parsed according to the operational order, to determine whether user is selected to first
Patch is installed.
It is understood that the corresponding contents of the selection information exported in the present embodiment are except the content of described above,
In practical application, the first patch can also be pacified again after such as meeting preparatory condition (as closed the second equipment) including other
Dress, is not limited specifically herein.
507th, the first equipment receives the mount message of the first plug-in unit feedback;
In the present embodiment, after the first plug-in unit is pointed out the user of the second equipment according to warning message, can according to
Family generates mount message to the result of the first patch, it is possible to the mount message is fed back into the first equipment, then first set
It is standby to receive the mount message.
508th, the first equipment determines whether user selects to install the first patch according to mount message, if so, then performing step
509, if it is not, then performing step 511;
In the present embodiment, the first equipment is received after the mount message of the first plug-in unit feedback, can be true according to the mount message
Determine whether user selects to install the first patch.
Step 509 in the present embodiment is identical to step 205 with the step 204 in embodiment illustrated in fig. 2 to step 510,
Here is omitted.
In step 509 in the present embodiment, if the first equipment determines that the first patch is installed in user's selection of the second equipment,
Then the first equipment can push the first patch to the first plug-in unit, to allow the first plug-in unit to install the first benefit on the second device
Fourth.
511st, the first device end flow.
In the present embodiment, if the first equipment judges that the second equipment does not lack the first patch according to patch information, then meaning
The second equipment to have installed or need not, be not suitable for that the first patch is installed, then can terminate stream without other operations
Journey.
In the present embodiment, if the first equipment determines that user does not select to install the first patch according to mount message, then can be with
Other operations are not performed, that is, terminate flow.
It should be noted that embodiment illustrated in fig. 5 can also be combined with Fig. 3 or embodiment illustrated in fig. 4 respectively, that is, exist
First equipment sends first to the first plug-in unit and instructed, or the first plug-in unit is detected after the default trigger event of generation, and the first plug-in unit is
The patch information of the second equipment can be reported to the first equipment, here is omitted for same section.
Further, the explanation based on any of the above-described embodiment, in actual applications, is pushed away in the first equipment to the first plug-in unit
The first patch is sent, with before make it that the first plug-in unit installs the first patch on the second device, in order to not cause unnecessary safety
Hidden danger, if the first equipment detects the second equipment for correspondence with foreign country state, can issue the second instruction, for intercepting second
The correspondence with foreign country of equipment.
For example, when the second equipment in enterprise initiates network request to outer net, it is default that the first plug-in unit will detect generation
Trigger event, then the patch information of the second equipment can be reported to the first equipment by the first plug-in unit, if the first equipment is fire wall
A components, then the first equipment with the first plug-in unit in addition to being linked, other modules that can also be with fire wall
Linked, such as network control module, attack defending module etc., then the second equipment is judged according to patch information in the first equipment
When lacking the first patch, the first equipment can send instructions down to the network control module of fire wall, and network control module is then intercepted
The network request that second equipment is initiated outer net, and to the first plug-in unit push temporarily forbid the second equipment user correspondence with foreign country
Behavior, to allow the first plug-in unit to enter the installation procedure to the first patch of the second equipment.And if the first equipment judges
Two equipment do not lack the first patch, then the first equipment can also notify the network control module of fire wall, network control module
The network request that second equipment that can then let pass is initiated outer net, it is allowed to the correspondence with foreign country behavior of the user of the second equipment.
It is understood that if the first equipment is not a components of fire wall, i.e. the first equipment is two with fire wall
During individual product, network control module is also provided with the first equipment, then based on the above, the network control in the first equipment
Molding block will receive the second instruction, and the correspondence with foreign country for the second equipment being intercepted according to second instruction.In actual applications,
It can accordingly be operated, not limited herein according to actual product design situation specifically.
Further, after the first plug-in unit installs the first patch on the second device, in order to improve the use of the second equipment
The usage experience at family, the first plug-in unit can export the mounted prompt message of the first patch on the second device, to avoid second
The user of equipment actively carry out patch detection in the case of unwitting and it is time-consuming the occurrence of.If likewise, first
The correspondence with foreign country of the second equipment is intercepted before plug-in unit installs the first patch, then install the on the second device in the first plug-in unit
After one patch, the first plug-in unit can also export the prompt message that correspondence with foreign country has recovered on the second device, to notify second
The user of equipment can again attempt to correspondence with foreign country.
The patch management method in the embodiment of the present invention is described above, separately below in the embodiment of the present invention
The first equipment and the first plug-in unit be described, referring to Fig. 6, first equipment one embodiment includes in the embodiment of the present invention:
Receiving module 601, the patch information for receiving the second equipment that the first plug-in unit is sent;
Judge module 602, for judging whether the second equipment lacks the first patch according to patch information;
First pushing module 603, for when the second equipment lacks the first patch, then pushing first to the first plug-in unit and mending
Fourth, to cause the first plug-in unit to install the first patch on the second device.
In the present embodiment, receiving module 601 is received after the patch information for the second equipment that the first plug-in unit is sent, judge module
602 can judge whether the second equipment lacks the first patch according to the patch information, to lack the first patch in the second equipment
In the case of, the first pushing module 603 can push the first patch to the first plug-in unit so that the first plug-in unit is to the first patch second
Installed in equipment, so as to the timely installation for the first patch for lacking the second equipment, be conducive to strengthening the second equipment
Network security.
Referring to Fig. 7, another embodiment of the first equipment includes in the embodiment of the present invention:
Module 701 in the present embodiment is identical with the module 601 in embodiment illustrated in fig. 6, real shown in module 702 and Fig. 6
The module 602 applied in example is identical, and here is omitted.
First detection module 703, for whether when the second equipment lacks the first patch, then it to be important to detect the first patch
Patch;
Module 704 in the present embodiment is identical with the module 603 in embodiment illustrated in fig. 6, and here is omitted.
First trigger module 705, for when the first patch is important patch, then triggering the first pushing module and being inserted to first
Part pushes the first patch;
Second pushing module 706, for when the first patch is not important patch, then pushing warning letter to the first plug-in unit
Breath, to cause the first plug-in unit to be pointed out according to warning message the user of the second equipment;
Second trigger module 707, for when the first patch is installed in user's selection, then triggering the first pushing module to first
Plug-in unit pushes the first patch.
Optionally, in some embodiments of the invention, based on Fig. 7, as shown in figure 8, receiving first in receiving module 701
Before the patch information for the second equipment that plug-in unit is sent, the first equipment can further include:
Second detection module 708, for detecting whether occurring default trigger event;
Sending module 709, for when occurring default trigger event, then sending first to the first plug-in unit and instructing, first refers to
Make the patch information for the equipment of acquisition request second.
Optionally, in some embodiments of the invention, based on Fig. 8, as shown in figure 9, in the first pushing module 704 to
One plug-in unit is pushed before the first patch, and the first equipment can further include:
Module 710 is issued, for when the second equipment is correspondence with foreign country state, issuing the second instruction, second instructs and be used for
Intercept the correspondence with foreign country of the second equipment.
Referring to Fig. 10, first plug-in unit one embodiment includes in the embodiment of the present invention:
Acquisition module 1001, the patch information for obtaining the second equipment;
Sending module 1002, for patch information to be sent to the first equipment, to cause the first equipment according to patch information
Judge whether the second equipment lacks the first patch, if so, then pushing the first patch to the first plug-in unit;
First receiving module 1003, for receiving the first patch that the second equipment is pushed;
Module 1004 is installed, for the first patch to be installed on into the second equipment.
In the present embodiment, the patch information for the second equipment that sending module 1002 can obtain acquisition module 1001 is sent
To the first equipment, with when the first equipment judges that the second equipment lacks the first patch according to the patch information, the first receiving module
1003 can receive the first patch of the first equipment push, and install the first patch on the second device by installation module 1004,
It follows that in the case of the second equipment non-networked, the installation of the first patch of the second equipment missing can also be realized,
And the effective monitoring to the patch installation situation of the second equipment can be realized, be conducive to improving the security of the second equipment.
Referring to another embodiment of the first plug-in unit in Figure 11, the embodiment of the present invention includes:
Detection module 1101, for detecting whether occurring default trigger event;
Module 1102 in the present embodiment is identical with the module 1001 in embodiment illustrated in fig. 10, and here is omitted.
Trigger module 1103, for when occurring default trigger event, then triggering the benefit that acquisition module obtains the second equipment
Fourth information;
Module 1104 in the present embodiment is identical with the module 1002 in embodiment illustrated in fig. 10, module 1105 and Figure 10 institutes
Show that the module 1003 in embodiment is identical, module 1106 is identical with the module 1004 in embodiment illustrated in fig. 10, no longer go to live in the household of one's in-laws on getting married herein
State.
Referring to another embodiment of the first plug-in unit in Figure 12, the embodiment of the present invention includes:
Second receiving module 1201, for receiving the first instruction that the first equipment is sent, first instructs for acquisition request
The patch information of first equipment;
Module 1202 in the present embodiment is identical with the module 1001 in embodiment illustrated in fig. 10, module 1203 and Figure 10 institutes
Show that the module 1002 in embodiment is identical, module 1204 is identical with the module 1003 in embodiment illustrated in fig. 10, module 1205 with
Module 1004 in embodiment illustrated in fig. 10 is identical, and here is omitted.
Optionally, in some embodiments of the invention, illustrated exemplified by based on Figure 12, as shown in figure 13, first
Plug-in unit can further include:
3rd receiving module 1206, for when it is not important patch that the first equipment, which detects the first patch, then receiving first
The warning message that equipment is pushed;
Reminding module 1207, for being pointed out according to warning message the user of the second equipment.
Present invention also offers a kind of patch management systems, the patch management systems can include the first of described above and set
Standby and the first plug-in unit.The auxiliary to the first equipment and cooperation by the first plug-in unit, the first equipment can be realized to owning in enterprise
The patch monitoring and management of computer, are conducive to strengthening the safeguard protection to all computers in enterprise.
Present invention also offers a kind of fire wall, the fire wall can include the first equipment.Wherein, the first equipment can be with
Other modules in fire wall are linked, to be used in conjunction with each other.
It is understood that in the embodiment of the present invention, the first equipment can also be entered with the first plug-in unit from hardware point of view
Row description, illustrates (the identical description section of the first plug-in unit is repeated no more) by taking the first equipment as an example, the embodiment of the present invention
First equipment includes:Processor, memory and storage are in memory and the computer program that can run on a processor, institute
The step of being based on the first equipment operation in each above-mentioned embodiment of the method is realized when stating computer program described in computing device, or
Person, realizes the function of each module of the first equipment in above-described embodiment during computer program described in the computing device, identical
Part can refer to above, and here is omitted.
Exemplary, the computer program can be divided into one or more module/units, one or many
Individual module/unit is stored in the memory, and by the computing device, to complete the present invention.It is one or many
Individual module/unit can complete the series of computation machine programmed instruction section of specific function, and the instruction segment is used to describe institute
Implementation procedure of the computer program in first equipment is stated, the explanation of each module of the first equipment is specifically can refer to, herein
Repeat no more.
Wherein, the first equipment may include but be not limited only to processor, memory, it will be understood by those skilled in the art that should
Illustrate the example of only the first equipment, do not constitute the restriction to the first equipment, can include more more or less than the explanation
Part, either combine some parts or different parts, such as described first equipment can also be set including input and output
Standby, network access equipment, bus etc..
Alleged processor can be CPU (Central Processing Unit, CPU), can also be it
His general processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) or other PLDs, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor
Deng the processor is the control centre of first equipment, utilizes each of whole first equipment of various interfaces and connection
Individual part.
The memory can be used for storing the computer program and/or module, and the processor is by running or performing
The computer program and/or module being stored in the memory, and the data being stored in memory are called, realize described
The various functions of first equipment.The memory can mainly include storing program area and storage data field, wherein, storing program area
Application program that can be needed for storage program area, at least one function etc.;Storage data field can store the use institute according to mobile phone
Data (such as patch library) of establishment etc..In addition, memory can include high-speed random access memory, it can also include non-easy
The property lost memory, such as hard disk, internal memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital
(Secure Digital, SD) block, flash card (Flash Card), at least one disk memory, flush memory device or other
Volatile solid-state part.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the unit
Divide, only a kind of division of logic function there can be other dividing mode when actually realizing, such as multiple units or component
Another system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or
The coupling each other discussed or direct-coupling or communication connection can be the indirect couplings of device or unit by some interfaces
Close or communicate to connect, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used
When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially
The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer
Equipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the invention
Portion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can store journey
The medium of sequence code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Embodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to preceding
State the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (24)
1. a kind of patch management method, applied to the first equipment, it is characterised in that including:
Receive the patch information of the second equipment of the first plug-in unit transmission;
Judge whether second equipment lacks the first patch according to the patch information;
If missing, first patch is pushed to first plug-in unit, to cause first plug-in unit in second equipment
It is upper that first patch is installed.
2. patch management method according to claim 1, it is characterised in that according to the patch information judge institute described
State after whether the second equipment lack the first patch, it is described push first patch to first plug-in unit before, it is described
Method also includes:
Whether if second equipment lacks first patch, it is important patch to detect first patch;
If so, the step of then triggering push first patch to first plug-in unit;
If it is not, then warning message is pushed to first plug-in unit, to cause first plug-in unit according to the warning message to institute
The user for stating the second equipment is pointed out.
3. patch management method according to claim 2, it is characterised in that alerted in described pushed to first plug-in unit
After information, methods described also includes:
If first patch is installed in user selection, trigger described pushing first patch to first plug-in unit
Step.
4. patch management method according to any one of claim 1 to 3, it is characterised in that inserted in the reception first
Before the patch information for the second equipment that part is sent, methods described also includes:
Detect whether occur default trigger event;
Instructed if so, then sending first to first plug-in unit, described first instructs for the second equipment described in acquisition request
The patch information.
5. patch management method according to claim 4, it is characterised in that the default trigger event include it is following at least
It is a kind of:
Patch library occurs renewal, system and occurs leak, system generation security incident.
6. patch management method according to any one of claim 1 to 3, it is characterised in that described to described first
Plug-in unit is pushed before first patch, and methods described also includes:
When second equipment is correspondence with foreign country state, the second instruction is issued, described second instructs for intercepting described second
The correspondence with foreign country of equipment.
7. a kind of patch management method, applied to the first plug-in unit, it is characterised in that including:
Obtain the patch information of the second equipment;
The patch information is sent to the first equipment, to cause first equipment to judge described according to the patch information
Whether two equipment lack the first patch, if so, then pushing first patch to first plug-in unit;
Receive first patch that second equipment is pushed;
First patch is installed in second equipment.
8. patch management method according to claim 7, it is characterised in that in the patch information of the second equipment of the acquisition
Before, methods described also includes:
Detect whether occur default trigger event;
If so, the step of then triggering the patch information of the second equipment of the acquisition.
9. patch management method according to claim 8, it is characterised in that the default trigger event include it is following at least
It is a kind of:
First equipment initiates network request, first equipment to outer net and installs the first application, first equipment generation
Security incident.
10. patch management method according to claim 7, it is characterised in that in the patch letter of the second equipment of the acquisition
Before breath, methods described also includes:
The first instruction that first equipment is sent is received, described first instructs for described in the first equipment described in acquisition request
Patch information.
11. the patch management method according to any one of claim 7 to 10, it is characterised in that methods described also includes:
If first equipment detects that first patch is not the important patch, the police that first equipment is pushed is received
Accuse information;
The user of second equipment is pointed out according to the warning message.
12. a kind of first equipment, it is characterised in that including:
Receiving module, the patch information for receiving the second equipment that the first plug-in unit is sent;
Judge module, for judging whether second equipment lacks the first patch according to the patch information;
First pushing module, for when second equipment lacks first patch, then pushing institute to first plug-in unit
The first patch is stated, to cause first plug-in unit to install first patch in second equipment.
13. the first equipment according to claim 12, it is characterised in that first equipment also includes:
First detection module, for when second equipment lacks first patch, then whether detecting first patch
For important patch;
First trigger module, for when first patch be the important patch when, then trigger first pushing module to
First plug-in unit pushes first patch;
Second pushing module, for when first patch is not the important patch, then pushing and warning to first plug-in unit
Information is accused, to cause first plug-in unit to be pointed out according to the warning message the user of second equipment.
14. the first equipment according to claim 13, it is characterised in that first equipment also includes:
Second trigger module, for when first patch is installed in user selection, then triggering first pushing module
First patch is pushed to first plug-in unit.
15. the first equipment according to any one of claim 12 to 14, first equipment also includes:
Second detection module, for detecting whether occurring default trigger event;
Sending module, for when occurring the default trigger event, then sending first to first plug-in unit and instructing, described the
One instructs the patch information for the second equipment described in acquisition request.
16. the first equipment according to claim 15, it is characterised in that the default trigger event includes following at least one
Kind:
Patch library occurs renewal, system and occurs leak, system generation security incident.
17. the first equipment according to any one of claim 12 to 14, it is characterised in that first equipment is also wrapped
Include:
Module is issued, for when second equipment is correspondence with foreign country state, issuing the second instruction, described second instructs and be used for
Intercept the correspondence with foreign country of second equipment.
18. a kind of first plug-in unit, it is characterised in that including:
Acquisition module, the patch information for obtaining the second equipment;
Sending module, for the patch information to be sent to the first equipment, to cause first equipment according to the patch
Information judges whether second equipment lacks the first patch, if so, then pushing first patch to first plug-in unit;
First receiving module, for receiving first patch that second equipment is pushed;
Module is installed, for first patch to be installed on into second equipment.
19. the first plug-in unit according to claim 18, it is characterised in that first plug-in unit also includes:
Detection module, for detecting whether occurring default trigger event;
Trigger module, for when occurring the default trigger event, then triggering the benefit that the acquisition module obtains the second equipment
The step of fourth information.
20. the first plug-in unit according to claim 19, it is characterised in that the default trigger event includes following at least one
Kind:
First equipment initiates network request, first equipment to outer net and installs the first application, first equipment generation
Security incident.
21. the first plug-in unit according to claim 18, it is characterised in that first plug-in unit also includes:
Second receiving module, for receiving the first instruction that first equipment is sent, described first instructs for acquisition request
The patch information of first equipment.
22. the first plug-in unit according to any one of claim 18 to 21, it is characterised in that first plug-in unit is also wrapped
Include:
3rd receiving module, for when it is not the important patch that first equipment, which detects first patch, then receiving
The warning message that first equipment is pushed;
Reminding module, for being pointed out according to the warning message the user of second equipment.
23. a kind of patch management systems, it is characterised in that including the first equipment as any one of claim 12 to 17
With the first plug-in unit any one of claim 18 to 22.
24. a kind of fire wall, it is characterised in that including the first equipment as any one of claim 12 to 17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710373698.5A CN107193600A (en) | 2017-05-24 | 2017-05-24 | A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710373698.5A CN107193600A (en) | 2017-05-24 | 2017-05-24 | A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107193600A true CN107193600A (en) | 2017-09-22 |
Family
ID=59874372
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710373698.5A Pending CN107193600A (en) | 2017-05-24 | 2017-05-24 | A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107193600A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107766068A (en) * | 2017-10-10 | 2018-03-06 | 金蝶软件(中国)有限公司 | Application system patch installation, device, computer equipment and storage medium |
| CN109117644A (en) * | 2018-09-28 | 2019-01-01 | 深信服科技股份有限公司 | A kind of method of adjustment of operation conditions, system, host and readable storage medium storing program for executing |
| CN110058874A (en) * | 2019-03-14 | 2019-07-26 | 广东九联科技股份有限公司 | A kind of code patch inspection System and method for |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102103464A (en) * | 2011-02-21 | 2011-06-22 | 北京奇虎科技有限公司 | Method and device for outputting service pack information |
| CN102413011A (en) * | 2011-11-18 | 2012-04-11 | 奇智软件(北京)有限公司 | Local area network (LAN) security evaluation method and system |
| CN103413083A (en) * | 2013-08-15 | 2013-11-27 | 水利部水利信息中心 | Security defending system for single host |
| CN105610776A (en) * | 2015-09-24 | 2016-05-25 | 中科信息安全共性技术国家工程研究中心有限公司 | Cloud calculating IaaS layer high risk safety loophole detection method and system thereof |
| CN106130966A (en) * | 2016-06-20 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
| US9606793B1 (en) * | 2016-09-14 | 2017-03-28 | Red Hat Israel, Ltd. | Backporting of bug patches |
-
2017
- 2017-05-24 CN CN201710373698.5A patent/CN107193600A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102103464A (en) * | 2011-02-21 | 2011-06-22 | 北京奇虎科技有限公司 | Method and device for outputting service pack information |
| CN102413011A (en) * | 2011-11-18 | 2012-04-11 | 奇智软件(北京)有限公司 | Local area network (LAN) security evaluation method and system |
| CN103413083A (en) * | 2013-08-15 | 2013-11-27 | 水利部水利信息中心 | Security defending system for single host |
| CN105610776A (en) * | 2015-09-24 | 2016-05-25 | 中科信息安全共性技术国家工程研究中心有限公司 | Cloud calculating IaaS layer high risk safety loophole detection method and system thereof |
| CN106130966A (en) * | 2016-06-20 | 2016-11-16 | 北京奇虎科技有限公司 | A kind of bug excavation detection method, server, device and system |
| US9606793B1 (en) * | 2016-09-14 | 2017-03-28 | Red Hat Israel, Ltd. | Backporting of bug patches |
Non-Patent Citations (1)
| Title |
|---|
| 俞伟明: ""玩转XP的安全秘密武器"", 《电脑知识与技术》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107766068A (en) * | 2017-10-10 | 2018-03-06 | 金蝶软件(中国)有限公司 | Application system patch installation, device, computer equipment and storage medium |
| CN109117644A (en) * | 2018-09-28 | 2019-01-01 | 深信服科技股份有限公司 | A kind of method of adjustment of operation conditions, system, host and readable storage medium storing program for executing |
| CN109117644B (en) * | 2018-09-28 | 2022-08-05 | 深信服科技股份有限公司 | Method and system for adjusting running state, host and readable storage medium |
| CN110058874A (en) * | 2019-03-14 | 2019-07-26 | 广东九联科技股份有限公司 | A kind of code patch inspection System and method for |
| CN110058874B (en) * | 2019-03-14 | 2022-03-15 | 广东九联科技股份有限公司 | Code patch checking system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2566130B1 (en) | Automatic analysis of security related incidents in computer networks | |
| CN104270467B (en) | A kind of virtual machine management-control method for mixed cloud | |
| CN108664793B (en) | Method and device for detecting vulnerability | |
| CN104811506B (en) | Rapeseed oil remote monitoring system and method based on wireless sensor network | |
| CN107193600A (en) | A kind of patch management method, the first equipment, the first plug-in unit, system and fire wall | |
| CN111131253A (en) | Scene-based security event global response method, device, equipment and storage medium | |
| CN107463839A (en) | A kind of system and method for managing application program | |
| CN102724208A (en) | System and method for controlling access to network resources | |
| CN106998335A (en) | A kind of leak detection method, gateway device, browser and system | |
| CN108021485A (en) | The monitoring method and device of application program running state | |
| CN103593616A (en) | System and method for preventing and controlling USB flash disk viruses in enterprise information network | |
| CN103365963B (en) | Database audit system compliance method for quickly detecting | |
| CN107797859A (en) | A kind of dispatching method of timed task and a kind of dispatch server | |
| CN101719846A (en) | Security monitoring method, device and system | |
| CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
| CN116155531A (en) | Method and device for network equipment security management based on SOAR and electronic equipment | |
| KR101233934B1 (en) | Integrated Intelligent Security Management System and Method | |
| CN112600709A (en) | Management system for local area network terminal and use method | |
| CN107911229A (en) | Based reminding method, device, electronic equipment and the storage medium that operating status changes | |
| CN113162897A (en) | Industrial control network security filtering system and method | |
| CN112769814B (en) | Method and system for comprehensively coordinating network security equipment in linkage manner | |
| CN106254163B (en) | Monitor the method and device of the USB port of computer in local area network | |
| CN111258712B (en) | Method and system for protecting safety of virtual machine under virtual platform network isolation | |
| CN205510110U (en) | A network leak scanning system for distributed network platform | |
| CN105939202A (en) | Method and device for managing life cycle of device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170922 |