CN111061656A - Secondary rapid disinfection method with low resource consumption - Google Patents
Secondary rapid disinfection method with low resource consumption Download PDFInfo
- Publication number
- CN111061656A CN111061656A CN201911103905.0A CN201911103905A CN111061656A CN 111061656 A CN111061656 A CN 111061656A CN 201911103905 A CN201911103905 A CN 201911103905A CN 111061656 A CN111061656 A CN 111061656A
- Authority
- CN
- China
- Prior art keywords
- file
- hash value
- encrypted hash
- cache
- resource consumption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/172—Caching, prefetching or hoarding of files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1737—Details of further file system functions for reducing power consumption or coping with limited storage space, e.g. in mobile devices
Abstract
The invention provides a secondary rapid disinfection method with low resource consumption, which comprises the following steps: the method comprises the following steps: 1) the antivirus software starts to traverse the directory and the file to obtain a searching and killing result; 2) when the antivirus software traverses the directory and the file to obtain a searching and killing result, a system interface is called to obtain the size of the file; 3) each file converts the path and the file size of the file into a character string as a first encryption hash value; 4) writing the first encrypted hash value obtained in the step 3 and a corresponding checking and killing result into a cache file; 5) and loading the cache file for comparison in the next scanning. The virus detection efficiency of the secondary rapid antivirus method with low resource consumption is obviously improved, the virus searching and killing time is shorter under the condition of multiple searching and killing, the read-write time and the times of a magnetic disk are obviously reduced, the magnetic disk loss is reduced, and compared with the traditional cache technology, the CPU resource occupied in the scanning cache process is less.
Description
Technical Field
The invention relates to the field of information security and virus searching and killing. The method is a method for improving the virus detection efficiency and reducing the occupation of a large amount of system resources caused by virus killing.
Background
After the computer is poisoned, normal programs may not run, files in the computer are deleted or encrypted, and the computer is damaged to different degrees. Therefore, the calculator is provided with antivirus software and scans the disk regularly, and virus checking and killing become daily inspection work of a safety manager. The traditional antivirus detection method adopts a characteristic library comparison mode, and by matching the characteristics of each file with the characteristics of a virus library, the computer is regularly scanned by the detection mode, so that a large amount of cpu resources and memory resources of the computer are consumed for a long time, and even the operation of a service is possibly influenced.
And caching antivirus, providing a memory mechanism after the virus is scanned for the first time, and skipping over the detected files confirmed to be safe under the condition of the same virus library strategy. In this way, under the same virus library strategy, the scanning for the second time can be directly compared with the data in the cache to directly output the result, and only the newly added file needs to be searched and killed, for example: a server with 200 ten thousand files is scanned for about 5-10 hours (determined by the performance of the server) under the normal condition (ignoring the file size), and the traditional cache is in a form of directly calculating the md5 value of the file, so that under the condition that the anti-virus resource occupies a serious shortage, the resource consumed by md5 calculation is increased, a plurality of rounds of calculation are required, more effective CPU resources are required, and larger resource consumption and burden are brought to the system.
Accordingly, there is a need for improvements in the art.
Disclosure of Invention
The invention aims to provide a high-efficiency low-resource-consumption secondary rapid disinfection method.
In order to solve the technical problems, the invention provides a secondary rapid disinfection method with low resource consumption, which comprises the following steps: the method comprises the following steps:
1) the antivirus software starts to traverse the directory and the file to obtain a searching and killing result;
2) when the antivirus software traverses the directory and the file to obtain a searching and killing result, a system interface is called to obtain the size of the file;
3) each file converts the path and the file size of the file into a character string as a first encryption hash value;
4) writing the first encrypted hash value obtained in the step 3 and a corresponding checking and killing result into a cache file;
5) and loading the cache file for comparison in the next scanning.
As an improvement of the secondary rapid disinfection method with low resource consumption of the invention:
in step 3: the string is encrypted.
As a further improvement of the secondary rapid disinfection method with low resource consumption of the invention:
the encryption method is MD5_16 encryption and conversion into 16 bytes.
As a further improvement of the secondary rapid disinfection method with low resource consumption of the invention:
the step 5 comprises the following steps:
5.1, when the second scanning is started, traversing the directory and the files again, calling a system interface to obtain the sizes of the files, converting the path and the file size of each file into a character string, carrying out MD5_16 encryption on the character string, and converting the character string into a second encryption hash value of 16 Byte;
5.2, comparing the encrypted hash value of the second time with the encrypted hash value in the cache file;
if the cache file has a first encrypted hash value which is the same as the second encrypted hash value, the file corresponding to the second encrypted hash value does not need to be checked and killed, and a checking and killing result corresponding to the first encrypted hash value is used as a checking and killing result of the file corresponding to the second encrypted hash value;
and if the cache file does not have the first encrypted hash value which is the same as the second encrypted hash value, operating antivirus software to check and kill the file corresponding to the second encrypted hash value to obtain a checking and killing result.
As a further improvement of the secondary rapid disinfection method with low resource consumption of the invention:
the cache files are used for establishing indexes for all the disks, each disk independently stores the encrypted hash value customized by all the files of the disk, and corresponding cache files are loaded for comparison when a certain disk is scanned.
The secondary rapid disinfection method with low resource consumption has the technical advantages that:
1. the virus detection efficiency is obviously improved;
2. under the condition of multiple searching and killing, the searching and killing time is shorter;
3. the read-write time and the times of the magnetic disk are obviously reduced, and the magnetic disk loss is reduced;
4. compared with the traditional cache technology, the CPU resource occupied in the cache scanning process is less.
Detailed Description
The invention will be further described with reference to specific examples, but the scope of the invention is not limited thereto.
Embodiment 1, the secondary rapid disinfection method with low resource consumption, comprising the following steps:
1. the system starts to run antivirus software, and the antivirus software starts to traverse the directory (path) and the file to obtain the killing result.
2. The antivirus software calls a system interface to obtain the size of the file while traversing the directory and the file to obtain a searching and killing result (a safe file or a malicious file).
3. Each file converts its path and file size into a string, which is encrypted MD5_16 into a first encrypted hash value of 16 bytes.
Conversion rules: for example, the A file size under C \ Windows \ System32 is 64B, the character string is CWindowsystem 32X64B, and the conversion rule is not single and can be self-defined.
4. Writing a character string (the first encrypted hash value obtained in the step 3) representing a single file and a corresponding searching and killing result into a customized cache file;
the customized cache file is used for establishing indexes for all disks, each disk independently stores the first encrypted hash value customized by all files of the disk, and corresponding cache files are loaded for comparison when a certain disk is scanned;
5. and loading the data at the next scanning time, and directly comparing.
When the second scanning is started, all data in the corresponding cache file are loaded firstly, the scanning process is compared quickly and confirmed to be a safe file or a malicious file, and all files do not need to be matched with the virus library.
The method specifically comprises the following steps:
5.1, when the second scanning is started, traversing the directory (path) and the file again, calling a system interface to obtain the file size, converting the path and the file size of each file into a character string, encrypting the character string by MD5_16, and converting the character string into a second encrypted hash value of 16 Byte.
5.2, comparing the encrypted hash value of the second time with the encrypted hash value in the cache file;
if the cache file has a first encrypted hash value which is the same as the second encrypted hash value, the file corresponding to the second encrypted hash value does not need to be checked and killed, and a checking and killing result corresponding to the first encrypted hash value is used as a checking and killing result of the file corresponding to the second encrypted hash value;
and if the cache file does not have the first encrypted hash value which is the same as the second encrypted hash value, operating antivirus software to check and kill the file corresponding to the second encrypted hash value to obtain a checking and killing result.
It should be noted that the present invention is an application of computer technology in the field of information security technology. In the implementation of the present invention, the application of computer antivirus software is involved. The applicant believes that it is fully possible for one skilled in the art to utilize the software programming skills in his or her own practice to implement the invention, as well as to properly understand the principles and objectives of the invention, in conjunction with the prior art, after a perusal of this application.
Claims (5)
1. The secondary rapid disinfection method with low resource consumption is characterized in that: the method comprises the following steps:
1) the antivirus software starts to traverse the directory and the file to obtain a searching and killing result;
2) the antivirus software obtains the size of the file while traversing the directory and the file to obtain the searching and killing result;
3) each file converts the path and the file size of the file into a character string as a first encryption hash value;
4) writing the first encrypted hash value obtained in the step 3 and a corresponding checking and killing result into a cache file;
5) and loading the cache file for comparison in the next scanning.
2. The secondary rapid disinfection method with low resource consumption according to claim 1, characterized in that:
in step 3: the string is encrypted.
3. The secondary rapid disinfection method with low resource consumption as claimed in claim 2, wherein:
the encryption method is MD5_16 encryption and conversion into 16 bytes.
4. The secondary rapid disinfection method with low resource consumption as claimed in claim 3, wherein:
the step 5 comprises the following steps:
5.1) when the second scanning is started, traversing the directory and the files again, simultaneously obtaining the sizes of the files, converting the path and the file size of each file into a character string, carrying out MD5_16 encryption on the character string, and converting the character string into a second encryption hash value of 16 bytes;
5.2) comparing the second encrypted hash value with the encrypted hash value in the cache file;
if the cache file has a first encrypted hash value which is the same as the second encrypted hash value, the file corresponding to the second encrypted hash value does not need to be checked and killed, and a checking and killing result corresponding to the first encrypted hash value is used as a checking and killing result of the file corresponding to the second encrypted hash value;
and if the cache file does not have the first encrypted hash value which is the same as the second encrypted hash value, operating antivirus software to check and kill the file corresponding to the second encrypted hash value to obtain a checking and killing result.
5. The secondary rapid disinfection method with low resource consumption as claimed in claim 4, wherein:
the cache files are used for establishing indexes for all the disks, each disk independently stores the encrypted hash value customized by all the files of the disk, and corresponding cache files are loaded for comparison when a certain disk is scanned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911103905.0A CN111061656A (en) | 2019-11-13 | 2019-11-13 | Secondary rapid disinfection method with low resource consumption |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911103905.0A CN111061656A (en) | 2019-11-13 | 2019-11-13 | Secondary rapid disinfection method with low resource consumption |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111061656A true CN111061656A (en) | 2020-04-24 |
Family
ID=70297779
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911103905.0A Pending CN111061656A (en) | 2019-11-13 | 2019-11-13 | Secondary rapid disinfection method with low resource consumption |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111061656A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084155A (en) * | 2020-09-09 | 2020-12-15 | 深圳市欢太科技有限公司 | Picture processing method, device, equipment, terminal and readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901323A (en) * | 2010-07-22 | 2010-12-01 | 湖北盛天网络技术有限公司 | System filtration method for monitoring loading activity of program module |
| CN102609515A (en) * | 2012-02-07 | 2012-07-25 | 奇智软件(北京)有限公司 | Quick file scanning method and quick file scanning system |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| US20120304298A1 (en) * | 2011-05-27 | 2012-11-29 | Netqin Mobile (Beijing) Co., Ltd. | Method for antivirus in a mobile device by using a mobile storage and a system thereof |
-
2019
- 2019-11-13 CN CN201911103905.0A patent/CN111061656A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101901323A (en) * | 2010-07-22 | 2010-12-01 | 湖北盛天网络技术有限公司 | System filtration method for monitoring loading activity of program module |
| US20120304298A1 (en) * | 2011-05-27 | 2012-11-29 | Netqin Mobile (Beijing) Co., Ltd. | Method for antivirus in a mobile device by using a mobile storage and a system thereof |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN102609515A (en) * | 2012-02-07 | 2012-07-25 | 奇智软件(北京)有限公司 | Quick file scanning method and quick file scanning system |
Non-Patent Citations (1)
| Title |
|---|
| 曹三省: "《信息技术与计算机科学进展及应用》", 30 November 2008 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084155A (en) * | 2020-09-09 | 2020-12-15 | 深圳市欢太科技有限公司 | Picture processing method, device, equipment, terminal and readable storage medium |
| CN112084155B (en) * | 2020-09-09 | 2024-03-22 | 深圳市欢太科技有限公司 | Picture processing method, device, equipment, terminal and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9118703B2 (en) | Fuzzy whitelisting anti-malware systems and methods | |
| US7725941B1 (en) | Method and system for antimalware scanning with variable scan settings | |
| US8819835B2 (en) | Silent-mode signature testing in anti-malware processing | |
| US7349931B2 (en) | System and method for scanning obfuscated files for pestware | |
| RU2536664C2 (en) | System and method for automatic modification of antivirus database | |
| Bayer et al. | Scalable, behavior-based malware clustering. | |
| US20180089430A1 (en) | Computer security profiling | |
| US8352484B1 (en) | Systems and methods for hashing executable files | |
| US8291497B1 (en) | Systems and methods for byte-level context diversity-based automatic malware signature generation | |
| RU2634178C1 (en) | Method of detecting harmful composite files | |
| RU2624552C2 (en) | Method of malicious files detecting, executed by means of the stack-based virtual machine | |
| US20100077482A1 (en) | Method and system for scanning electronic data for predetermined data patterns | |
| US20110154495A1 (en) | Malware identification and scanning | |
| KR20060083850A (en) | Systems and methods for validating executable file integrity using partial image hashes | |
| RU2606559C1 (en) | System and method for optimizing of files antivirus checking | |
| EP2998902B1 (en) | Method and apparatus for processing file | |
| RU2726878C1 (en) | Method for faster full antivirus scanning of files on mobile device | |
| US8448243B1 (en) | Systems and methods for detecting unknown malware in an executable file | |
| US20100115619A1 (en) | Method and system for scanning a computer storage device for malware incorporating predictive prefetching of data | |
| US20160078227A1 (en) | Data processing system security device and security method | |
| CN111061656A (en) | Secondary rapid disinfection method with low resource consumption | |
| RU2510530C1 (en) | Method for automatic generation of heuristic algorithms for searching for malicious objects | |
| US8706745B1 (en) | Systems and methods for determining a file set | |
| RU2628922C1 (en) | Method for determining similarity of composite files | |
| CN105468966B (en) | Enterprise-level terminal document scan method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200424 |