CN111400712A - File virus checking and killing method, equipment, device and computer storage medium - Google Patents
File virus checking and killing method, equipment, device and computer storage medium Download PDFInfo
- Publication number
- CN111400712A CN111400712A CN202010190322.2A CN202010190322A CN111400712A CN 111400712 A CN111400712 A CN 111400712A CN 202010190322 A CN202010190322 A CN 202010190322A CN 111400712 A CN111400712 A CN 111400712A
- Authority
- CN
- China
- Prior art keywords
- killing
- file
- searching
- information
- virus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The invention discloses a virus searching and killing method for a file, which comprises the following steps: performing local searching and killing on the file according to the characteristic information of the file to be searched and killed; if the local searching and killing matching of the file fails, sending the characteristic information of the file to a cloud server, wherein the cloud server acquires searching and killing information corresponding to the characteristic information and feeds back the searching and killing information; and if the searching and killing information is received within the preset time, processing the file according to the received searching and killing information. The invention also discloses a method, equipment and a device for searching and killing the virus of the file and a computer storage medium.
Description
Technical Field
The present invention relates to the field of virus searching and killing technologies, and in particular, to a method, an apparatus, a device, and a computer storage medium for searching and killing viruses of files.
Background
When a file downloaded by a terminal device is subjected to virus checking and killing, if no virus can be detected by local checking and killing, a cache file generally needs to be uploaded to a cloud for detection.
When the cloud is detected, all cache files are generally required to be uploaded to a cloud server, if the cache files are large, the uploading and detection processes are too time-consuming, the terminal equipment cannot timely receive the searching and killing results fed back by the cloud, the terminal equipment is enabled to release the cache files, and if the files are virus files, great potential safety hazards can be caused.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, equipment and device for searching and killing viruses of files and a computer storage medium, and aims to improve virus searching and killing efficiency by sending characteristic information of the files to a cloud for virus searching and killing after local searching and killing fails.
In order to achieve the above object, the present invention provides a method for searching and killing a virus of a file, which comprises the following steps:
performing local searching and killing on the file according to the characteristic information of the file to be searched and killed;
if the local searching and killing matching of the file fails, sending the characteristic information of the file to a cloud server, wherein the cloud server acquires searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and if the searching and killing information is received within the preset time, processing the file according to the received searching and killing information.
Optionally, the step of performing local searching and killing on the file according to the feature information of the file to be searched and killed includes:
acquiring the characteristic information of the file to be searched and killed and preset characteristic data corresponding to a local database;
and when the characteristic information is not matched with the preset characteristic data, judging that the local searching, killing and matching of the file fails, wherein the preset characteristic data comprises local white list data and local black list data.
Optionally, after the step of sending the feature information of the file to a cloud server, the method further includes:
and if the searching and killing information fed back by the cloud server is not received within a preset time length, performing releasing processing on the file.
Optionally, the sending the feature information of the file to a cloud server, where the step of obtaining, by the cloud server, killing information corresponding to the feature information and feeding back the killing information includes:
acquiring the storage capacity occupied by the file;
and sending the occupied storage capacity and the feature information to the cloud server, wherein when cloud blacklist data matched with the feature information and the storage capacity exist in a cloud database of the cloud server, virus information is used as the searching and killing information, and the searching and killing information is fed back.
Optionally, before the step of sending the feature information of the file to the cloud server, the method further includes:
and calculating the data in the file through a Hash algorithm to obtain the characteristic information of the file.
Optionally, the step of processing the file according to the received killing information includes:
deleting the file when the checking and killing information is virus information;
and when the checking and killing information is non-virus information, performing release processing on the file.
Optionally, before the step of performing local searching and killing on the file according to the feature information of the file to be searched and killed, the method further includes:
after detecting that the terminal equipment sends a downloading request to a server, caching response data of the downloading request fed back by the server to a preset storage area until the storage capacity occupied by the cached response data reaches the real size of a file corresponding to the response data and finishing caching;
and taking the file corresponding to the cached response data after the caching is finished as the file to be checked and killed.
In addition, in order to achieve the above object, the present invention further provides a method for searching and killing a virus of a file, which comprises the following steps:
the method comprises the steps that when a cloud server receives feature information sent by terminal equipment, searching and killing information corresponding to the feature information is obtained, wherein the terminal equipment carries out local searching and killing on a file to be searched and killed according to the feature information of the file, and if the local searching and killing matching of the file fails, the feature information of the file is sent to the cloud server;
and feeding back the searching and killing information to the terminal equipment, wherein if the terminal equipment receives the searching and killing information within a preset time length, the file is processed according to the received searching and killing information.
Optionally, the step of obtaining the killing information corresponding to the feature information includes:
and when cloud blacklist data matched with the characteristic information exists in a cloud database of the cloud server, taking the virus information as the searching and killing information.
Optionally, before the step of using the virus information as the killing information, the method for killing the virus of the file further includes:
acquiring the storage capacity sent by the terminal equipment;
and when the storage capacity is matched with the cloud blacklist data, executing the step of taking the virus information as the searching and killing information.
Optionally, the step of obtaining the killing information corresponding to the feature information further includes:
and when cloud white list data matched with the characteristic information exists in a cloud database of the cloud server or cloud black list data and cloud white list data matched with the characteristic information do not exist, taking non-virus information as the searching and killing information.
In addition, in order to achieve the above object, the present invention provides a file virus searching and killing apparatus, including:
the processing module is used for carrying out local searching and killing on the file according to the characteristic information of the file to be searched and killed;
the sending module is used for sending the characteristic information of the file to a cloud server if the local searching, killing and matching of the file fails, wherein the cloud server obtains searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and the processing module is also used for processing the file according to the received searching and killing information if the searching and killing information is received within a preset time length.
In addition, in order to achieve the above object, the present invention further provides a device for searching and killing a virus of a file, including: the system comprises a memory, a processor and a virus killing program of a file stored on the memory and capable of running on the processor, wherein the virus killing program of the file realizes the steps of the virus killing method of the file according to any one of the above items when being executed by the processor.
In addition, to achieve the above object, the present invention further provides a computer storage medium, on which a virus killing program of a file is stored, and the virus killing program of the file, when executed by a processor, implements the steps of the virus killing method of the file according to any one of the above.
According to the method, the device and the apparatus for searching and killing the viruses of the files and the computer storage medium provided by the embodiment of the invention, the files are searched and killed locally according to the characteristic information of the files to be searched and killed, if the local searching and killing matching of the files fails, the characteristic information of the files is sent to the cloud server, wherein the cloud server obtains the searching and killing information corresponding to the characteristic information and feeds back the searching and killing information, and if the searching and killing information is received within the preset time length, the files are processed according to the received searching and killing information. According to the invention, when the file is not found to be virus or not in the local searching and killing, the characteristic information of the file is sent to the cloud server to detect whether the file has the virus or not, so that the file body is prevented from being sent, the time required by virus searching and killing is shortened, the virus searching and killing efficiency is improved, and the virus searching and killing real-time performance is realized.
Drawings
Fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flowchart of a virus searching and killing method according to a first embodiment of the present invention;
FIG. 3 is a schematic flowchart of a virus searching and killing method according to a second embodiment of the present invention;
FIG. 4 is a schematic flowchart of a virus searching and killing method according to a third embodiment of the present invention;
FIG. 5 is a schematic flowchart of a fourth embodiment of the virus searching and killing method according to the present invention;
FIG. 6 is a schematic diagram of an application scenario of the virus searching and killing method according to the present invention;
FIG. 7 is a schematic diagram of file interception according to the present invention;
FIG. 8 is a schematic representation of a process for processing a document according to the present invention;
fig. 9 is a schematic feedback diagram of the cloud server according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the invention provides a solution, which is characterized in that when the file is not detected to be a virus locally, the characteristic information of the file is sent to a cloud server to detect whether the file has the virus, so that the file body is prevented from being sent, the time required by virus detection is shortened, the virus detection efficiency is improved, and the virus detection real-time performance is realized.
As shown in fig. 1, fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present invention.
The terminal of the embodiment of the invention can be a PC, a smart phone and other terminals, and can also be a cloud server.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the terminal structure shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer-readable storage medium, may include therein virus-killing programs of an operating system, a network communication module, a user interface module, and a file.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to call a virus killer of a file stored in the memory 1005, and perform the following operations:
performing local searching and killing on the file according to the characteristic information of the file to be searched and killed;
if the local searching and killing matching of the file fails, sending the characteristic information of the file to a cloud server, wherein the cloud server acquires searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and if the searching and killing information is received within the preset time, processing the file according to the received searching and killing information.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
acquiring the characteristic information of the file to be searched and killed and preset characteristic data corresponding to a local database;
and when the characteristic information is not matched with the preset characteristic data, judging that the local searching, killing and matching of the file fails, wherein the preset characteristic data comprises local white list data and local black list data.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
and if the searching and killing information fed back by the cloud server is not received within a preset time length, performing releasing processing on the file.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
acquiring the storage capacity occupied by the file;
and sending the occupied storage capacity and the feature information to the cloud server, wherein when cloud blacklist data matched with the feature information and the storage capacity exist in a cloud database of the cloud server, virus information is used as the searching and killing information, and the searching and killing information is fed back.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
and calculating the data in the file through a Hash algorithm to obtain the characteristic information of the file.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
deleting the file when the checking and killing information is virus information;
and when the checking and killing information is non-virus information, performing release processing on the file.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
after detecting that the terminal equipment sends a downloading request to a server, caching response data of the downloading request fed back by the server to a preset storage area until the storage capacity occupied by the cached response data reaches the real size of a file corresponding to the response data and finishing caching;
and taking the file corresponding to the cached response data after the caching is finished as the file to be checked and killed.
The processor 1001 may also be configured to invoke a virus killer on a file stored in the memory 1005, and perform the following operations:
the method comprises the steps that when a cloud server receives feature information sent by terminal equipment, searching and killing information corresponding to the feature information is obtained, wherein the terminal equipment carries out local searching and killing on a file to be searched and killed according to the feature information of the file, and if the local searching and killing matching of the file fails, the feature information of the file is sent to the cloud server;
and feeding back the searching and killing information to the terminal equipment, wherein if the terminal equipment receives the searching and killing information within a preset time length, the file is processed according to the received searching and killing information.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
and when cloud blacklist data matched with the characteristic information exists in a cloud database of the cloud server, taking the virus information as the searching and killing information.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
acquiring the storage capacity sent by the terminal equipment;
and when the storage capacity is matched with the cloud blacklist data, executing the step of taking the virus information as the searching and killing information.
Further, the processor 1001 may call a virus killer of a file stored in the memory 1005, and also perform the following operations:
and when cloud white list data matched with the characteristic information exists in a cloud database of the cloud server or cloud black list data and cloud white list data matched with the characteristic information do not exist, taking non-virus information as the searching and killing information.
Referring to fig. 2, in an embodiment, the method for searching and killing the file for the virus includes the following steps:
step S10, performing local searching and killing on the file according to the characteristic information of the file to be searched and killed;
in this embodiment, a terminal device is used as an execution subject. Specifically, after the virus searching and killing program in the terminal device obtains the file, the local virus searching and killing is performed on the file. Before a file is subjected to local or cloud Virus check and Kill, the feature information corresponding to the file can be acquired, so that the file is represented by the feature information, wherein a Virus check and Kill program can be an Application Firewall (AF) program and provides safety protection for terminal equipment, the AF program comprises a Virus killing process (kvd, Kill Virus Daemon), and the failure of local check and Kill matching refers to the fact that whether the file belongs to a Virus file or a non-Virus file cannot be judged only according to a local database.
The files include data of various network protocols such as HyperText Transfer Protocol (HTTP), HyperText Transfer security Protocol (HTTPs), File Transfer Protocol (FTP), Server Message Block (SMB), Simple Mail Transfer Protocol (SMTP), interactive Mail Access Protocol (IMAP, Internet Mail Access Protocol), and the like.
Alternatively, the characteristic information may be any distinguishing characteristic for distinguishing different files, such as a characteristic code, a file signature, a file name, a specific character string in a file, and the like. The feature code may be an MD5 value (MD5 Message-DigestAlgorithm), a CRC value, or the like. The MD5 value of a file can be obtained by a hash (hash) algorithm, and by the hash algorithm, an input with any length can be converted into a 128-bit hash value by the hash algorithm to ensure the integrity and consistency of information transmission, so that the data stored in the file to be checked and killed can be calculated by the hash algorithm to obtain the feature code of the file to be checked and killed. The CRC value can be obtained by Cyclic Redundancy Check (CRC), which is a channel coding technique that generates a short fixed-bit parity Check code according to data such as network data packets or computer files, and is mainly used to detect or Check errors that may occur after data transmission or storage, and it uses the principles of division and remainder to detect errors.
Optionally, the virus killer program in the terminal device may also detect a downloading action of the terminal device. When it is detected that the terminal equipment sends a downloading request to the server to download the file, response data of the downloading request fed back by the server is intercepted, the response data is the downloaded file, and local searching and killing and/or cloud searching and killing are/is carried out on the file. Specifically, the purpose of interception can be achieved by a hook (hook) function and the like, as shown in fig. 7, fig. 7 is a schematic diagram of file interception, a terminal device sends a download request to a cloud server, when the cloud server responds to the download request of the terminal device and starts to issue response data, a hook function is automatically triggered, the hook function calls a virus killing program AF so that the virus killing program AF receives the file data and caches the file data to a preset storage area, the preset storage area is a virus detection storage area, the file interception is achieved, and subsequent local killing and/or cloud killing are performed. The cloud server issues the response data in the form of a data packet, so that the file size of all the response data, namely the real size of the file corresponding to the response data, can be obtained from the data packet in which the response data is cached. When the storage capacity occupied by the cached response data reaches the real size of the file corresponding to all the response data, the caching of the response data is finished, and the interception of the file is finished, so that the caching operation can be finished, and the file corresponding to the cached response data after the caching is finished is used as the file to be checked and killed.
Step S20, if the local searching, killing and matching of the file fails, sending the characteristic information of the file to a cloud server, wherein the cloud server acquires searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
in this embodiment, after the local searching and killing matching of the file fails, the feature information of the file is sent to the cloud server, so that the cloud server searches and kills the file according to the feature information. Specifically, the characteristic information and the file have a one-to-one correspondence relationship, and the characteristic information can be used for representing the file, so that the cloud server can acquire the file corresponding to the characteristic information and perform virus searching and killing after receiving the characteristic information.
Optionally, the cloud server may further pre-establish a cloud database, and pre-store characteristic information corresponding to the plurality of virus files in the cloud database. Therefore, when the cloud server receives the feature information, whether cloud blacklist data matched with the received feature information exists in the cloud database can be directly detected. If the file exists, the file for virus searching and killing is consistent with the virus file corresponding to the cloud blacklist data, namely the file is a virus file, and therefore the pre-stored virus information is used as searching and killing information corresponding to the received characteristic information and fed back to a virus searching and killing program in the terminal equipment. If the file does not exist, the file does not belong to the virus file, and therefore the pre-stored non-virus information is used as the killing information corresponding to the received characteristic information and fed back to the virus killing program in the terminal equipment.
And step S30, if the searching and killing information is received within a preset time, processing the file according to the received searching and killing information.
In this embodiment, after receiving the killing information fed back by the cloud server within a preset time, the terminal device processes the file according to the received killing information, where the processing may include isolation processing, deletion processing, release processing, and the like, and the isolation processing refers to transferring the file to a specified storage area and prohibiting the file from running, opening, and the like.
Alternatively, as shown in fig. 6, fig. 6 is a schematic diagram of an application scenario. The AF acquires the characteristic information of the file from the terminal equipment, sends the characteristic information to the cloud server, and carries out file processing on the terminal equipment according to the searching and killing information after receiving the searching and killing information fed back by the cloud server, so that the file body is prevented from being sent, the time required by virus searching and killing is shortened, and the virus searching and killing efficiency is improved.
Optionally, the killing information includes virus information or non-virus information, where the virus information may include a name and a degree of harm of the virus, so that the terminal device performs different processing on different virus files. For example, if the virus information determines that the virus file is less harmful, the virus file is isolated, and if the virus information determines that the virus file is more harmful, the virus file is immediately deleted.
Optionally, when the received virus searching and killing information is virus information, deleting the file for searching and killing the virus, so as to eliminate the potential safety hazard of the virus file to the terminal equipment. And when the received checking and killing information is non-virus information, performing release processing on the file. Specifically, the release processing refers to sending the file to the terminal device, and may be storing the file in a preset storage area in the terminal device for the terminal device to read or the user to view, for example, when the downloading of the file is initiated by a browser of the terminal device, the file is downloaded and virus-killed, and after the file is confirmed to be non-virus, the file is stored in a storage directory corresponding to the browser.
Alternatively, as shown in FIG. 8, a schematic diagram of one process for the FIG. 8 bit file. When the cloud server has errors or network problems, the cloud server cannot feed back the searching and killing information in time, so that the searching and killing information fed back by the cloud server is not received within the preset time, the file can be judged to be non-virus, the file is subjected to release processing, and the file is sent to the terminal equipment.
In the technical scheme disclosed in this embodiment, when the file is not found to be a virus in the local searching and killing process, the characteristic information of the file is sent to the cloud server to detect whether the file has the virus, so that the file body is prevented from being sent, the time required by virus searching and killing is shortened, the virus searching and killing efficiency is improved, and the virus searching and killing real-time performance is realized.
In another embodiment, as shown in fig. 3, on the basis of the embodiment shown in fig. 2, the step S10 includes:
step S11, acquiring the characteristic information of the file to be checked and killed and the preset characteristic data corresponding to the local database;
in this embodiment, when a local virus is detected and killed, preset feature data corresponding to a local database in the terminal device may be obtained, and whether the file belongs to a virus file is determined according to the preset feature data.
Optionally, the preset feature data includes local white list data and local black list data. The local white list data and the local black list data are stored in a local database, the local black list data comprise characteristics corresponding to pre-stored virus files, the characteristics corresponding to any virus file can be used as local black list data, namely when the characteristic information of the file to be checked and killed comprises the characteristics corresponding to any virus file, the file is judged to be matched with the local black list data, namely the characteristic information is matched with the preset characteristic data, and the file is a virus file. Similarly, the local white list data includes the corresponding characteristics of the pre-stored security documents, and the corresponding characteristics of any security document can be used as one local white list data. And when the file is not matched with the local white list data and the local black list data, judging that the file is matched with the preset characteristic data, and indicating that whether the file belongs to the virus file or not can not be judged through local searching and killing.
Optionally, the cloud virus searching and killing process and the local virus searching and killing process can be performed simultaneously, so that the virus searching and killing capacity and efficiency are improved.
Step S12, when the feature information does not match the preset feature data, determining that the local searching, killing and matching of the file fails, where the preset feature data includes local white list data and local black list data.
In this embodiment, when the file is not matched with the preset feature data, it is indicated that the local searching and killing cannot identify the file as a virus file, and the local searching and killing matching failure of the file is determined, so that the cloud searching and killing virus searching and killing step can be executed to perform more comprehensive virus searching and killing on the file, and the security of the terminal device is further improved.
Optionally, when the file is matched with the preset feature data and the virus searching and killing information fed back by the cloud server is virus information, it is indicated that the local database of the terminal device is expired, so that cloud white list data and cloud black list data in the cloud database can be downloaded from the cloud server to update the local white list data and the local black list data in the local database, and the local virus searching and killing capability of the terminal device is improved.
In the technical scheme disclosed in the embodiment, before cloud virus searching and killing is carried out, local searching and killing is carried out on the file, and more comprehensive virus searching and killing is carried out on the file through linkage of the local searching and killing and the cloud searching and killing, so that the virus searching and killing capacity is improved.
In yet another embodiment, as shown in fig. 4, on the basis of the embodiment shown in any one of fig. 2 to 3, the step S20 includes:
step S21, acquiring the storage capacity occupied by the file;
step S22, sending the occupied storage capacity and the feature information to the cloud server, wherein when cloud blacklist data matching the feature information and the storage capacity exists in a cloud database of the cloud server, virus information is used as the searching and killing information, and the searching and killing information is fed back.
In this embodiment, due to the characteristics of MD5 values, there may be cases where MD5 values are the same for two files of different contents. Therefore, other information of the file can be introduced to perform virus killing, so as to ensure that the file identified by the cloud server according to the characteristic information is consistent with the file needing virus killing. Specifically, after the characteristic information corresponding to the file is obtained, the storage capacity occupied by the file, that is, the size of the file, may also be obtained. When the feature information is sent to the cloud server, occupied storage capacity information is also sent to the cloud server.
Optionally, when detecting that cloud blacklist data matched with the received feature information exists in the cloud database, the cloud server may further detect whether the received storage capacity is matched with the cloud blacklist data. Specifically, the cloud blacklist data may include pre-stored characteristic information of a pre-stored virus file and pre-stored storage capacity occupied by the pre-stored virus file, when the received characteristic information is the same as the pre-stored characteristic information, it is determined that the received characteristic information matches the cloud blacklist data, and when the received storage capacity is the same as the pre-stored storage capacity, it is determined that the received storage capacity matches the cloud blacklist data. When the single blacklist data is matched with the received characteristic information and the storage capacity, the fact that the pre-stored virus file is consistent with the file for virus searching and killing is indicated, and the file for virus searching and killing is the virus file, therefore, the pre-stored virus information can be used as searching and killing information to be fed back to a virus searching and killing program of the terminal device, and the virus searching and killing program can process the file according to the searching and killing information.
In the technical scheme disclosed in this embodiment, the characteristic information is sent to the cloud server to perform cloud virus searching and killing on the file, and the storage capacity occupied by the file is sent to the cloud server to perform file verification, so as to ensure accurate correspondence between the characteristic information and the file.
In another embodiment, as shown in fig. 5, based on the embodiment shown in any one of fig. 2 to 4, the method for searching and killing viruses of the file includes the following steps:
step S40, when receiving the feature information sent by the terminal equipment, the cloud server obtains the searching and killing information corresponding to the feature information, wherein the terminal equipment carries out local searching and killing on the file according to the feature information of the file to be searched and killed, and if the local searching and killing matching of the file fails, the cloud server sends the feature information of the file to the cloud server;
in this embodiment, a cloud server is used as an execution subject. When the cloud server receives the feature information sent by the terminal equipment, virus searching and killing can be carried out according to the feature information so as to obtain searching and killing information corresponding to the feature information, wherein the feature information can be sent through a virus searching and killing program in the terminal equipment. The virus killer may be an Application Firewall (AF) that provides security protection for the terminal device.
Alternatively, the characteristic information may be any distinguishing characteristic for distinguishing different files, such as a characteristic code, a file signature, a file name, a specific character string in a file, and the like. The feature code may be an MD5 value, a CRC value, etc., the MD5 value of the file may be obtained by a hash algorithm, and the CRC value may be obtained according to a Cyclic Redundancy Check (CRC).
Optionally, when virus is detected and killed according to the characteristic information, whether cloud blacklist data and/or cloud white list data consistent with the received characteristic information exist in a cloud database of the cloud server or not is detected, wherein the cloud blacklist data comprises pre-stored characteristic information corresponding to a preset virus file, the pre-stored characteristic information can be generated according to the preset virus file in advance, the cloud white list data comprises pre-stored characteristic information corresponding to a preset safety file, and the pre-stored characteristic information can be generated according to the preset safety file in advance. If the cloud blacklist data matched with the received characteristic information exists, the file corresponding to the characteristic information is a virus file, and therefore the pre-stored virus information can be used as searching and killing information. If the cloud white list data consistent with the received characteristic information exists, the file corresponding to the characteristic information is not the virus file, and therefore the pre-stored non-virus information can be used as searching and killing information. If the cloud blacklist data matched with the received characteristic information does not exist, and the cloud white list data consistent with the received characteristic information does not exist, the cloud searching and killing can not be judged whether the file is a virus file, and therefore the pre-stored non-virus information can be used as searching and killing information.
Optionally, after the cloud blacklist data consistent with the received characteristic information in the cloud database, the storage capacity sent by the terminal device can be obtained, namely the size of the file to be searched and killed, correspondingly, the cloud blacklist data can also comprise the pre-stored storage capacity occupied by the pre-stored virus file, namely the size of the pre-stored virus file, and the cloud white list data can also comprise the pre-stored storage capacity occupied by the pre-stored safety file, namely the size of the pre-stored safety file. Specifically, the pre-stored storage capacity corresponding to the cloud blacklist data matched with the received characteristic information is obtained, and when the pre-stored storage capacity is matched with the storage capacity, it is indicated that the size of the pre-stored virus file is consistent with the size of the file for virus searching and killing, so that the step of taking the pre-stored virus information as searching and killing information can be executed. When the pre-stored storage capacity is not matched with the storage capacity, the size of the pre-stored virus is not consistent with the size of the file for virus killing, so that the pre-stored non-virus information can be fed back to the terminal equipment as killing information.
And step S50, feeding the searching and killing information back to the terminal equipment, wherein if the terminal equipment receives the searching and killing information within a preset time length, the file is processed according to the received searching and killing information.
In this embodiment, as shown in fig. 9, fig. 9 is a schematic feedback diagram of a cloud server, where after acquiring the killing information corresponding to the characteristic information, the cloud server feeds the killing information back to the terminal device, so that a virus killing program in the terminal device processes a file according to the killing information, where the processing may include isolation processing, deletion processing, release processing, and the like.
In the technical scheme disclosed in this embodiment, when the file is not detected to be a virus locally at the terminal device, the cloud server receives the feature information of the file, detects whether the file has the virus according to the feature information, and avoids receiving and detecting the file body, so that the time required by virus detection is shortened, the virus detection efficiency is improved, and the virus detection real-time performance is realized.
In addition, an embodiment of the present invention further provides a device for searching and killing a virus of a file, where the device for searching and killing a virus of a file includes:
the processing module is used for carrying out local searching and killing on the file according to the characteristic information of the file to be searched and killed;
the sending module is used for sending the characteristic information of the file to a cloud server if the local searching, killing and matching of the file fails, wherein the cloud server obtains searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and the processing module is also used for processing the file according to the received searching and killing information if the searching and killing information is received within a preset time length.
According to the embodiment, when the file is not found to be a virus in the local searching and killing process, the characteristic information of the file is sent to the cloud server to detect whether the file has the virus, so that the file body is prevented from being sent, the time required by virus searching and killing is shortened, the virus searching and killing efficiency is improved, and the virus searching and killing real-time performance is realized.
In addition, an embodiment of the present invention further provides a device for searching and killing a virus of a file, where the device for searching and killing a virus of a file includes: the system comprises a memory, a processor and a virus killing program of a file stored on the memory and capable of running on the processor, wherein the virus killing program of the file realizes the steps of the virus killing method of the file according to the above embodiments when being executed by the processor.
In addition, an embodiment of the present invention further provides a computer storage medium, where a virus checking and killing program of a file is stored on the computer storage medium, and when the virus checking and killing program of the file is executed by a processor, the steps of the method for checking and killing a virus of a file according to the above embodiments are implemented.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (14)
1. A file virus searching and killing method is characterized by comprising the following steps:
performing local searching and killing on the file according to the characteristic information of the file to be searched and killed;
if the local searching and killing matching of the file fails, sending the characteristic information of the file to a cloud server, wherein the cloud server acquires searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and if the searching and killing information is received within the preset time, processing the file according to the received searching and killing information.
2. The method for searching and killing the viruses in the files according to claim 1, wherein the step of locally searching and killing the files according to the characteristic information of the files to be searched and killed comprises the following steps:
acquiring the characteristic information of the file to be searched and killed and preset characteristic data corresponding to a local database;
and when the characteristic information is not matched with the preset characteristic data, judging that the local searching, killing and matching of the file fails, wherein the preset characteristic data comprises local white list data and local black list data.
3. The method for virus killing of a file according to claim 1, wherein after the step of sending the characteristic information of the file to a cloud server, the method further comprises:
and if the searching and killing information fed back by the cloud server is not received within a preset time length, performing releasing processing on the file.
4. The method for searching and killing the viruses in the file according to claim 1, wherein the step of sending the characteristic information of the file to a cloud server, wherein the step of obtaining the searching and killing information corresponding to the characteristic information by the cloud server and feeding back the searching and killing information comprises the steps of:
acquiring the storage capacity occupied by the file;
and sending the occupied storage capacity and the feature information to the cloud server, wherein when cloud blacklist data matched with the feature information and the storage capacity exist in a cloud database of the cloud server, virus information is used as the searching and killing information, and the searching and killing information is fed back.
5. The method for virus killing of a file according to claim 1, wherein before the step of sending the characteristic information of the file to a cloud server, the method further comprises:
and calculating the data in the file through a Hash algorithm to obtain the characteristic information of the file.
6. The method for virus searching and killing of the file according to claim 1, wherein the step of processing the file according to the received searching and killing information comprises:
deleting the file when the checking and killing information is virus information;
and when the checking and killing information is non-virus information, performing release processing on the file.
7. The method for searching and killing the viruses in the files according to claim 1, wherein before the step of locally searching and killing the files according to the characteristic information of the files to be searched and killed, the method further comprises the following steps:
after detecting that the terminal equipment sends a downloading request to a server, caching response data of the downloading request fed back by the server to a preset storage area until the storage capacity occupied by the cached response data reaches the real size of a file corresponding to the response data and finishing caching;
and taking the file corresponding to the cached response data after the caching is finished as the file to be checked and killed.
8. A file virus searching and killing method is characterized by comprising the following steps:
the method comprises the steps that when a cloud server receives feature information sent by terminal equipment, searching and killing information corresponding to the feature information is obtained, wherein the terminal equipment carries out local searching and killing on a file to be searched and killed according to the feature information of the file, and if the local searching and killing matching of the file fails, the feature information of the file is sent to the cloud server;
and feeding back the searching and killing information to the terminal equipment, wherein if the terminal equipment receives the searching and killing information within a preset time length, the file is processed according to the received searching and killing information.
9. The method for searching and killing the file according to claim 8, wherein the step of obtaining the searching and killing information corresponding to the characteristic information comprises the steps of:
and when cloud blacklist data matched with the characteristic information exists in a cloud database of the cloud server, taking the virus information as the searching and killing information.
10. The method for searching and killing the virus in the file according to claim 9, wherein before the step of using the virus information as the searching and killing information, the method for searching and killing the virus in the file further comprises:
acquiring the storage capacity sent by the terminal equipment;
and when the storage capacity is matched with the cloud blacklist data, executing the step of taking the virus information as the searching and killing information.
11. The method for searching and killing the file according to claim 9, wherein the step of obtaining the searching and killing information corresponding to the characteristic information further comprises:
and when cloud white list data matched with the characteristic information exists in a cloud database of the cloud server or cloud black list data and cloud white list data matched with the characteristic information do not exist, taking non-virus information as the searching and killing information.
12. The virus searching and killing device for the file is characterized by comprising the following components:
the processing module is used for carrying out local searching and killing on the file according to the characteristic information of the file to be searched and killed;
the sending module is used for sending the characteristic information of the file to a cloud server if the local searching, killing and matching of the file fails, wherein the cloud server obtains searching and killing information corresponding to the characteristic information and feeds back the searching and killing information;
and the processing module is also used for processing the file according to the received searching and killing information if the searching and killing information is received within a preset time length.
13. The virus checking and killing device for the files is characterized by comprising: memory, processor and virus killer program of a file stored on the memory and executable on the processor, the virus killer program of the file implementing the steps of the virus killing method of a file according to any one of claims 1 to 11 when executed by the processor.
14. A computer storage medium, on which a virus killing program of a file is stored, the virus killing program of the file implementing the steps of the virus killing method of the file according to any one of claims 1 to 11 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010190322.2A CN111400712A (en) | 2020-03-17 | 2020-03-17 | File virus checking and killing method, equipment, device and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010190322.2A CN111400712A (en) | 2020-03-17 | 2020-03-17 | File virus checking and killing method, equipment, device and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111400712A true CN111400712A (en) | 2020-07-10 |
Family
ID=71434224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010190322.2A Pending CN111400712A (en) | 2020-03-17 | 2020-03-17 | File virus checking and killing method, equipment, device and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111400712A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111931178A (en) * | 2020-07-21 | 2020-11-13 | 贵州黔源电力股份有限公司 | Host protection method and system based on white list and file feature code in industrial environment |
| CN113312324A (en) * | 2021-07-29 | 2021-08-27 | 深圳市永达电子信息股份有限公司 | File operation synchronization method and equipment based on redirection and storage medium |
| WO2022012294A1 (en) * | 2020-07-16 | 2022-01-20 | 青岛海尔工业智能研究院有限公司 | Security control method, apparatus and system, electronic device, and storage medium |
| CN116738428A (en) * | 2023-08-14 | 2023-09-12 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN103020520A (en) * | 2012-11-26 | 2013-04-03 | 北京奇虎科技有限公司 | Enterprise-based document security detection method and system |
| CN108920949A (en) * | 2018-06-27 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of method and terminal device of automatic killing file |
| CN110084041A (en) * | 2019-04-29 | 2019-08-02 | 深信服科技股份有限公司 | Querying method, device, client, management end and the storage medium of virus document |
-
2020
- 2020-03-17 CN CN202010190322.2A patent/CN111400712A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
| CN102750463A (en) * | 2011-12-16 | 2012-10-24 | 北京安天电子设备有限公司 | System and method for improving file rescanning speed |
| CN103020520A (en) * | 2012-11-26 | 2013-04-03 | 北京奇虎科技有限公司 | Enterprise-based document security detection method and system |
| CN108920949A (en) * | 2018-06-27 | 2018-11-30 | 北京奇虎科技有限公司 | A kind of method and terminal device of automatic killing file |
| CN110084041A (en) * | 2019-04-29 | 2019-08-02 | 深信服科技股份有限公司 | Querying method, device, client, management end and the storage medium of virus document |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022012294A1 (en) * | 2020-07-16 | 2022-01-20 | 青岛海尔工业智能研究院有限公司 | Security control method, apparatus and system, electronic device, and storage medium |
| CN114024697A (en) * | 2020-07-16 | 2022-02-08 | 青岛海尔工业智能研究院有限公司 | Security control method, device, system, electronic device, and storage medium |
| CN111931178A (en) * | 2020-07-21 | 2020-11-13 | 贵州黔源电力股份有限公司 | Host protection method and system based on white list and file feature code in industrial environment |
| CN113312324A (en) * | 2021-07-29 | 2021-08-27 | 深圳市永达电子信息股份有限公司 | File operation synchronization method and equipment based on redirection and storage medium |
| CN116738428A (en) * | 2023-08-14 | 2023-09-12 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
| CN116738428B (en) * | 2023-08-14 | 2023-11-10 | 苏州浪潮智能科技有限公司 | File dynamic virus detection method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111400712A (en) | File virus checking and killing method, equipment, device and computer storage medium | |
| US9614863B2 (en) | System and method for analyzing mobile cyber incident | |
| US8726387B2 (en) | Detecting a trojan horse | |
| US8850584B2 (en) | Systems and methods for malware detection | |
| WO2017202214A1 (en) | File verification method and apparatus | |
| US8607335B1 (en) | Internet file safety information center | |
| CN108768960B (en) | Virus detection method, device, storage medium and computer equipment | |
| US9614866B2 (en) | System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature | |
| CN110888838B (en) | Request processing method, device, equipment and storage medium based on object storage | |
| CN108052833A (en) | A kind of executable file anti-data-leakage scan method, system and gateway | |
| WO2013010394A1 (en) | Internet virus detection method, apparatus thereof and system thereof | |
| US10419525B2 (en) | Server-based system, method, and computer program product for scanning data on a client using only a subset of the data | |
| CN109446801B (en) | Method, device, server and storage medium for detecting simulator access | |
| US20130276106A1 (en) | System, method, and computer program product for verifying an identification of program information as unwanted | |
| CN104239795B (en) | The scan method and device of file | |
| CN107592299B (en) | Proxy internet access identification method, computer device and computer readable storage medium | |
| CN111259398B (en) | Virus defense method, device, equipment and readable storage medium | |
| CN113595981A (en) | Method and device for detecting threat of uploaded file and computer-readable storage medium | |
| CN112822023B (en) | Communication information transmitting method, information access method, device and storage medium | |
| JP6955527B2 (en) | Information processing equipment, information processing methods, and information processing programs | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN110958289B (en) | Third-party application access method and device and computer readable storage medium | |
| CN113596056B (en) | Vulnerability scanning method and device, electronic equipment and computer readable storage medium | |
| CN115208951B (en) | Request processing method, request processing device, electronic equipment and computer readable storage medium | |
| CN110636494B (en) | Network connection method and device of virtual SIM card and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |