CN111611584A - Malicious file detection method and device, storage medium and firewall - Google Patents

Malicious file detection method and device, storage medium and firewall Download PDF

Info

Publication number
CN111611584A
CN111611584A CN202010404761.9A CN202010404761A CN111611584A CN 111611584 A CN111611584 A CN 111611584A CN 202010404761 A CN202010404761 A CN 202010404761A CN 111611584 A CN111611584 A CN 111611584A
Authority
CN
China
Prior art keywords
data
file
server
file data
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010404761.9A
Other languages
Chinese (zh)
Inventor
李伟清
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010404761.9A priority Critical patent/CN111611584A/en
Publication of CN111611584A publication Critical patent/CN111611584A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a malicious file detection method, a malicious file detection device, a storage medium and a firewall, wherein the method comprises the steps of putting through file data to a server under the condition that terminal equipment transmits the file data to the server, storing the file data into a preset cache, and performing antivirus detection on the file data in the preset cache under the condition that ending control information is received to obtain an antivirus result; and under the condition that the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.

Description

Malicious file detection method and device, storage medium and firewall
Technical Field
The invention relates to the technical field of network security, in particular to a malicious file detection method, a malicious file detection device, a malicious file detection storage medium and a firewall.
Background
The File Transfer Protocol (FTP) includes two components, one of which is an FTP server and the other of which is an FTP terminal device. The FTP server is used for storing files, and a user can use the FTP terminal device to access resources located on the FTP server through an FTP protocol. Request for Comments (RFC) is a series of memos published by the Internet Engineering Task Force (IETF). The files collect information about the internet, and software files of UNIX and internet communities, which are numbered. Current RFC documents are issued sponsored by the internet association (ISOC).
In the field of file security, a method for spreading malicious files by using an FTP server as a carrier of the malicious files is becoming more and more common, and a currently known method for auditing files on a transmission channel and judging file properties by using an FTP protocol is as follows: and analyzing the part of the file data in the FTP uploading mode according to the RFC protocol specification, caching the part into a fixed buffer area, and searching and killing the buffer data when the buffer data is full and performing related treatment according to the searching and killing result. The currently known methods have the following disadvantages: the malicious files are blocked, and virus characteristics are possibly damaged, so that the searching and killing result is inaccurate.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a malicious file detection method, a malicious file detection device, a malicious file detection storage medium and a firewall, and aims to solve the technical problem that malicious file searching and killing results are inaccurate in the prior art.
In order to achieve the above object, the present invention provides a malicious file detection method, which includes the following steps:
under the condition that the terminal equipment transmits file data to a server, putting the file data to the server, and storing the file data in a preset cache;
under the condition of receiving the ending control information, performing antivirus detection on the file data in the preset cache to obtain an antivirus result;
and processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
Preferably, the end control information includes: and ending the state code information or normally closing the data connection between the terminal equipment and the server.
Preferably, when the antivirus result indicates that the file data is a malicious file, processing the file data in the server according to a preset policy includes:
judging whether to block connection of the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file;
if the file data in the server is blocked, judging whether the file data contains an uploading mark;
and under the condition that the file data contains the uploading mark, generating a deleting instruction, and transmitting the deleting instruction to the server so that the server deletes the file data according to the deleting instruction.
Preferably, when the antivirus result indicates that the file data is a malicious file, after judging whether to block connection of the file data in the server according to a preset policy, the malicious file detection method further includes:
and if the file data is not blocked and connected, the file data is put through.
Preferably, in the case that the terminal device transmits the file data to the server through the file transfer protocol control channel, before the file data is put through to the server and stored in the preset cache, the malicious file detection method further includes:
and analyzing the data stream in the file transfer protocol control channel, and judging whether the terminal equipment transmits file data to the server or not according to the data obtained by analysis.
Preferably, the analyzing the data stream in the file transfer protocol control channel, and determining whether the terminal device transmits the file data to the server according to the data obtained by the analysis includes:
analyzing the data stream in the file transfer protocol control channel;
under the condition of analyzing an uploading data stream in the direction from the terminal equipment to the server, analyzing whether an uploading control command exists in the uploading data stream or not;
judging whether a file transfer protocol initialization mark exists in the uploaded data stream or not under the condition that the uploading control command exists in the data stream;
if the file transmission protocol initialization mark exists, the data connection is determined to be established, and file data are transmitted to the server based on the data connection terminal equipment.
Preferably, after parsing the data stream in the file transfer protocol control channel, the malicious file detection method further includes:
under the condition of analyzing the response data stream from the server to the terminal equipment, judging whether the response data stream is data connection data or not;
if the response data stream is the data connection data, judging whether the data connection data is a handshake data packet of data connection;
judging whether the response data stream has a waiting data mark or not under the condition that the data connection data is a handshake data packet of data connection;
if the waiting data mark exists, the data connection is determined to be established, and the file data is transmitted to the server based on the data connection terminal equipment.
In addition, in order to achieve the above object, the present invention further provides a malicious file detection apparatus, including:
the transmission module is used for putting the file data to a server and storing the file data in a preset cache under the condition that the terminal equipment transmits the file data to the server;
the antivirus detection module is used for carrying out antivirus detection on the file data in the preset cache under the condition of receiving the ending control information to obtain an antivirus result;
and the processing module is used for processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
In addition, in order to achieve the above object, the present invention further provides a firewall, where the firewall includes a memory, a processor, and a malicious file detection program stored on the memory and executable on the processor, and the malicious file detection program is configured to implement the steps of the malicious file detection method as described above.
In addition, to achieve the above object, the present invention further provides a storage medium, on which a malicious file detection program is stored, and when the malicious file detection program is executed by a processor, the malicious file detection program implements the steps of the malicious file detection method as described above.
In the invention, under the condition that the terminal equipment transmits file data to the server, the file data is put through to the server and is stored in the preset cache, under the condition that ending control information is received, the file data in the preset cache is subjected to antivirus detection to obtain an antivirus result, and the antivirus detection is carried out based on the complete file, so that the detection rate and the accuracy are ensured to the maximum extent; and under the condition that the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.
Drawings
FIG. 1 is a schematic diagram of a firewall for a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a malicious file detection method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a malicious file detection method according to a second embodiment of the present invention;
FIG. 4 is a flowchart illustrating a malicious file detection method according to a third embodiment of the present invention;
fig. 5 is a block diagram of a malicious file detection apparatus according to a first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a firewall structure of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the firewall may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory or a Non-volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of a firewall and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a malicious file detection program.
In the firewall shown in fig. 1, the network interface 1004 is mainly used for connecting a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting user equipment; the firewall calls a malicious file detection program stored in the memory 1005 through the processor 1001, and executes the malicious file detection method provided by the embodiment of the present invention.
The firewall invokes a malicious file detection program stored in the memory 1005 by the processor 1001, and performs the following operations:
under the condition that the terminal equipment transmits file data to a server, putting the file data to the server, and storing the file data in a preset cache;
under the condition of receiving the ending control information, performing antivirus detection on the file data in the preset cache to obtain an antivirus result;
and processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
Further, the end control information includes: and ending the state code information or normally closing the data connection between the terminal equipment and the server.
Further, the firewall invokes the malicious file detection program stored in the memory 1005 through the processor 1001, and further performs the following operations:
judging whether to block connection of the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file;
if the file data in the server is blocked, judging whether the file data contains an uploading mark;
and under the condition that the file data contains the uploading mark, generating a deleting instruction, and transmitting the deleting instruction to the server so that the server deletes the file data according to the deleting instruction.
Further, the firewall invokes the malicious file detection program stored in the memory 1005 through the processor 1001, and further performs the following operations:
and if the file data is not blocked and connected, the file data is put through.
Further, the firewall invokes the malicious file detection program stored in the memory 1005 through the processor 1001, and further performs the following operations:
and analyzing the data stream in the file transfer protocol control channel, and judging whether the terminal equipment transmits file data to the server or not according to the data obtained by analysis.
Further, the firewall invokes the malicious file detection program stored in the memory 1005 through the processor 1001, and further performs the following operations:
analyzing the data stream in the file transfer protocol control channel;
under the condition of analyzing an uploading data stream in the direction from the terminal equipment to the server, analyzing whether an uploading control command exists in the uploading data stream or not;
judging whether a file transfer protocol initialization mark exists in the uploaded data stream or not under the condition that the uploading control command exists in the data stream;
if the file transmission protocol initialization mark exists, the data connection is determined to be established, and file data are transmitted to the server based on the data connection terminal equipment.
Further, the firewall invokes the malicious file detection program stored in the memory 1005 through the processor 1001, and further performs the following operations:
under the condition of analyzing the response data stream from the server to the terminal equipment, judging whether the response data stream is data connection data or not;
if the response data stream is the data connection data, judging whether the data connection data is a handshake data packet of data connection;
judging whether the response data stream has a waiting data mark or not under the condition that the data connection data is a handshake data packet of data connection;
if the waiting data mark exists, the data connection is determined to be established, and the file data is transmitted to the server based on the data connection terminal equipment.
In this embodiment, when the terminal device transmits the file data to the server, the file data is released to the server, and the file data is stored in the preset cache, and when the end control information is received, the file data in the preset cache is subjected to antivirus detection to obtain an antivirus result, and the antivirus detection is performed based on the complete file, so that the detection rate and the accuracy are ensured to the greatest extent; and under the condition that the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.
Based on the hardware structure, the embodiment of the malicious file detection method is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a malicious file detection method according to a first embodiment of the present invention, and the malicious file detection method according to the first embodiment of the present invention is proposed.
In a first embodiment, the malicious file detection method includes the following steps:
step S10: under the condition that the terminal equipment transmits file data to a server, the file data is put through to the server, and the file data is stored in a preset cache.
It should be understood that the execution subject of the present embodiment is the firewall, such as an Application Firewall (AF). The server can be an FTP server, and when the terminal device communicates with the FTP server to transmit files, the flow data passes through the intermediate AF, and the AF can detect the file attribute on the FTP uploading channel and block malicious data transmission. When the terminal device transmits file data to the server, the firewall stores the file data in a preset cache while putting through the file data on the FTP uploading channel, can perform antivirus detection on the file data in the preset cache, detects out malicious files in time, and processes the malicious files, so that the transmission of the malicious files is avoided, and the network security is not influenced.
It should be noted that the execution sequence of the operation of passing the file data to the server and the operation of storing the file data in the preset cache is not limited, and the operation of passing the file data to the server may be executed first, the operation of storing the file data in the preset cache may be executed first, or the operation of passing the file data to the server and the operation of storing the file data in the preset cache may be executed in parallel.
It should be noted that, in order to improve the accuracy of malicious file detection and avoid blocking and killing of malicious files, which may damage virus characteristics and cause inaccurate killing result, before performing antivirus detection on file data, a data stream in a file transfer protocol control channel needs to be analyzed, whether transmission of the file data is completed is judged according to data obtained by analysis, and the integrity of the file data is evaluated. According to RFC959, when streaming mode transmission is used, the default is that connection is normally closed to indicate that data transmission is completed, so that after the data connection is closed, the server returns control information to tell the terminal equipment that data transmission is completed, and file detection is performed, and at this time, the file data is a complete file. And the file data is a data packet for transmitting the file data in the FTP protocol, and when the last data packet for transmitting the file data is received, the complete file data is sent to the antivirus engine for killing. And when judging whether the file data is complete or not, judging whether the data obtained by analysis contains end state code information or not, if so, considering that the data is analyzed to end control information, and taking all data packets received in the preset cache as complete file data.
Step S20: and under the condition of receiving the ending control information, performing antivirus detection on the file data in the preset cache to obtain an antivirus result.
It can be understood that when the ending control information is analyzed, the file data in the preset cache is considered to be complete, and the antivirus engine can be used for carrying out antivirus detection on the file data to obtain an antivirus result. And after the antivirus engine processes the detection result, the structural body message of the detection result is packaged and sent to the protocol processing process, the antivirus result processing flow takes out the antivirus result message from the message queue, enters a processing logic, judges whether the antivirus result is toxic or not, indicates that the file data is a malicious file due to the toxicity, and carries out corresponding processing according to a configured strategy. The antivirus result includes that the file data is a malicious file and that the file data is not a malicious file.
Step S30: and processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
In a specific implementation, the malicious file is file data carrying codes such as viruses, worms and trojan horses for executing a malicious task, and the preset policy is a processing policy preset according to attributes of various malicious files. Some malicious files are more harmful, the connection of the malicious files can be blocked, and if the malicious files are uploaded to a server, the malicious files in the server are deleted; and if some malicious files are not harmful or can be converted into normal files after being checked and killed, the data can be released to the malicious files, and conversation resources are released.
In this embodiment, when the terminal device transmits the file data to the server, the file data is released to the server, and the file data is stored in the preset cache, and when the end control information is received, the file data in the preset cache is subjected to antivirus detection to obtain an antivirus result, and the antivirus detection is performed based on the complete file, so that the detection rate and the accuracy are ensured to the greatest extent; and under the condition that the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.
Referring to fig. 3, fig. 3 is a flowchart illustrating a malicious file detection method according to a second embodiment of the present invention, and the malicious file detection method according to the second embodiment of the present invention is proposed based on the first embodiment illustrated in fig. 2.
In a second embodiment, the end control information includes: and ending the state code information or normally closing the data connection between the terminal equipment and the server.
It should be understood that, as known from RFC959, when streaming mode transmission is used, data transmission is completed by default in the case that the connection is normally closed, and whether file data transmitted from the terminal device to the server has been completely transmitted is determined by detecting whether the data connection between the terminal device and the server is normally closed. And if the data connection between the terminal equipment and the server is normally closed, determining that the file data is complete.
It can be understood that, if the data connection between the terminal device and the server is normally closed, it indicates that the file data transmitted from the terminal device to the server has been completely transmitted, and the session resource is released. If the data connection between the terminal equipment and the server is not normally closed, it is indicated that an interrupt event may exist in the data transmission process, the data connection between the terminal equipment and the server may be continuously established subsequently, the file data is continuously transmitted based on the data connection until the data connection between the terminal equipment and the server is normally closed, the server returns control information to notify the terminal equipment that the data transmission is finished, at this moment, the file data detection is performed, the audited file data is complete, and the detection rate and the accuracy can be ensured to the maximum extent.
In a specific implementation, if the file size of some file data is known before transmission, whether the file data is completely transmitted can be judged according to the file size of the transmission data. When the size of the file is unknown, the data stream in the file transfer protocol control channel can be analyzed, and when the end state code information is analyzed, the file data transfer can be considered to be completed.
In this embodiment, the step S40 includes:
step S401: and under the condition that the antivirus result is that the file data is a malicious file, judging whether to block connection of the file data in the server according to a preset strategy.
It should be noted that some malicious files are more harmful, and the malicious files can be blocked and connected, and the malicious files are not allowed to be uploaded continuously; and if some malicious files are not harmful or can be converted into normal files after being checked and killed, the data can be released to the malicious files, and conversation resources are released. And when the antivirus result shows that the file data is not a malicious file, the transmitted file data is safe, the file data can be released, and the file data is allowed to be uploaded continuously.
Step S402: and if the file data in the server is blocked, judging whether the file data contains an uploading mark.
In a specific implementation, if the file data is blocked from being connected, it is further determined whether the file data has been uploaded to the server, and an upload flag is usually marked after the file data is uploaded to the server to represent that the file data has been uploaded to the server, and it is determined whether the file data has been uploaded to the server by determining whether the file data includes the upload flag.
Step S403: and under the condition that the file data contains the uploading mark, generating a deleting instruction, and transmitting the deleting instruction to the server so that the server deletes the file data according to the deleting instruction.
It should be understood that, in the case that the file data includes an upload flag, which indicates that the file data has been uploaded to the server, a malicious file on the server needs to be deleted, at this time, a new control command is constructed and sent to the server, that is, the deletion command is constructed, and the deletion command is sent to the server, so that the server deletes the file data. After the file data is deleted, the session resources can be released to transmit other data files.
Further, after the step S401, the method further includes:
and if the file data is not blocked and connected, the file data is put through.
It can be understood that if the file data is not blocked and the threat of the file data to the network security is not great, the file data can be directly put through, and the file data is allowed to be uploaded to the server.
In this embodiment, when the antivirus result is that the file data is a malicious file, whether to block connection of the file data is judged according to a preset strategy, if the file data is blocked, whether to include an upload flag is judged, a deletion instruction is generated under the condition that the file data includes the upload flag, and the deletion instruction is transmitted to the server, so that the server deletes the file data according to the deletion instruction, and when the malicious file is identified, the uploaded malicious file is processed in time, thereby avoiding being attacked by the malicious file, and improving network security.
Referring to fig. 4, fig. 4 is a flowchart illustrating a malicious file detection method according to a third embodiment of the present invention, and the malicious file detection method according to the third embodiment of the present invention is proposed based on the first embodiment or the second embodiment; in this example, the description is made based on the first embodiment.
In this embodiment, before the step S10, the method further includes:
step S01: and analyzing the data stream in the file transfer protocol control channel, and judging whether the terminal equipment transmits file data to the server or not according to the data obtained by analysis.
It should be understood that, the data stream in the file transfer protocol control channel is analyzed, so as to analyze whether the data stream is the transmitted file data, when the terminal device transmits the file data to the server, the file data transmission progress is monitored, a data packet of the file data transmitted in the FTP protocol is obtained, the data packet of the file data is cached in the memory, and when the last data packet of the file transmission is received, the complete file data is sent to the antivirus engine for antivirus.
Further, in this embodiment, the step S01 includes:
analyzing the data stream in the file transfer protocol control channel;
under the condition of analyzing an uploading data stream in the direction from the terminal equipment to the server, analyzing whether an uploading control command exists in the uploading data stream or not;
judging whether a file transfer protocol initialization mark exists in the uploaded data stream or not under the condition that the uploading control command exists in the data stream;
if the file transmission protocol initialization mark exists, the data connection is determined to be established, and file data are transmitted to the server based on the data connection terminal equipment.
It can be understood that the data stream in the file transfer protocol control channel is analyzed, when the data stream in the direction from the terminal device to the server is analyzed, the STOU family control command is uploaded, if the uploading control command is analyzed, a pending data (pending _ data) mark is marked to indicate that the uploading control command is currently analyzed, then data connection is waited, whether a file transfer protocol initialization (FTP _ INIT) mark exists or not is judged, and the FTP _ INIT mark represents that the analysis frame analyzes the data connection and then the data connection is marked. If the FTP _ INIT mark exists, the FDATA mark is directly returned to indicate that the control analysis is finished, the data connection is established, the file data transmission process is about to start, and otherwise, the subsequent analysis of the data connection is waited.
Further, in this embodiment, after parsing the data stream in the file transfer protocol control channel, the method further includes:
under the condition of analyzing the response data stream from the server to the terminal equipment, judging whether the response data stream is data connection data or not;
if the response data stream is the data connection data, judging whether the data connection data is a handshake data packet of data connection;
judging whether the response data stream has a waiting data mark or not under the condition that the data connection data is a handshake data packet of data connection;
if the waiting data mark exists, the data connection is determined to be established, and the file data is transmitted to the server based on the data connection terminal equipment.
It should be noted that, first, it is determined whether the data is data of a data connection, and if the data is a data connection, it is further determined whether the data is a handshake request synchronization (syn) packet of the data connection, which marks that the data connection is to be established, and then an FTP _ INIT flag is marked to represent that the data connection is currently established by parsing. Continuously judging whether a pending _ DATA mark indicates that the client sends a file uploading control command before, if so, marking an FTP _ DATA mark to indicate that the DATA connection is established, and then, carrying out DATA flow of the DATA connection; otherwise, directly returning.
In the embodiment, the data stream in the file transfer protocol control channel is analyzed, whether the terminal equipment transmits the file data to the server is judged according to the data obtained by analysis, and when the transmitted file data is complete, the file data is intercepted and detected in time, so that malicious files are identified in time and are correspondingly processed, and the network security is improved.
In addition, an embodiment of the present invention further provides a storage medium, where a malicious file detection program is stored on the storage medium, and when executed by a processor, the malicious file detection program implements the following steps:
under the condition that the terminal equipment transmits file data to a server, putting the file data to the server, and storing the file data in a preset cache;
under the condition of receiving the ending control information, performing antivirus detection on the file data in the preset cache to obtain an antivirus result;
and processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
Further, the end control information includes: and ending the state code information or normally closing the data connection between the terminal equipment and the server.
Further, the malicious file detection program when executed by the processor further implements the following operations:
judging whether to block connection of the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file;
if the file data in the server is blocked, judging whether the file data contains an uploading mark;
and under the condition that the file data contains the uploading mark, generating a deleting instruction, and transmitting the deleting instruction to the server so that the server deletes the file data according to the deleting instruction.
Further, the malicious file detection program when executed by the processor further implements the following operations:
and if the file data is not blocked and connected, the file data is put through.
Further, the malicious file detection program when executed by the processor further implements the following operations:
and analyzing the data stream in the file transfer protocol control channel, and judging whether the terminal equipment transmits file data to the server or not according to the data obtained by analysis.
Further, the malicious file detection program when executed by the processor further implements the following operations:
analyzing the data stream in the file transfer protocol control channel;
under the condition of analyzing an uploading data stream in the direction from the terminal equipment to the server, analyzing whether an uploading control command exists in the uploading data stream or not;
judging whether a file transfer protocol initialization mark exists in the uploaded data stream or not under the condition that the uploading control command exists in the data stream;
if the file transmission protocol initialization mark exists, the data connection is determined to be established, and file data are transmitted to the server based on the data connection terminal equipment.
Further, the malicious file detection program when executed by the processor further implements the following operations:
under the condition of analyzing the response data stream from the server to the terminal equipment, judging whether the response data stream is data connection data or not;
if the response data stream is the data connection data, judging whether the data connection data is a handshake data packet of data connection;
judging whether the response data stream has a waiting data mark or not under the condition that the data connection data is a handshake data packet of data connection;
if the waiting data mark exists, the data connection is determined to be established, and the file data is transmitted to the server based on the data connection terminal equipment.
In this embodiment, when a terminal device transmits file data to a server through a file transfer protocol control channel, the file data is released to the server, the file data is stored in a preset cache, a data stream in the file transfer protocol control channel is analyzed, when control information is analyzed to end, antivirus detection is performed on the file data in the preset cache to obtain an antivirus result, the antivirus detection is performed based on a complete file, and the detection rate and the accuracy are ensured to the greatest extent; and when the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.
In addition, referring to fig. 5, an embodiment of the present invention further provides a malicious file detection apparatus, where the malicious file detection apparatus includes:
the transmission module 10 is configured to put the file data to a server and store the file data in a preset cache when the terminal device transmits the file data to the server.
It should be understood that the server may be an FTP server, and when the terminal device communicates with the FTP server to transmit a file, the traffic data passes through an intermediate AF, and the AF detects a file attribute on an FTP uploading channel and blocks malicious data transmission. When the terminal device transmits file data to the server, the firewall stores the file data in a preset cache while putting through the file data on the FTP uploading channel, can perform antivirus detection on the file data in the preset cache, detects out malicious files in time, and processes the malicious files, so that the transmission of the malicious files is avoided, and the network security is not influenced.
It should be noted that the execution sequence of the operation of passing the file data to the server and the operation of storing the file data in the preset cache is not limited, and the operation of passing the file data to the server may be executed first, the operation of storing the file data in the preset cache may be executed first, or the operation of passing the file data to the server and the operation of storing the file data in the preset cache may be executed in parallel.
It should be noted that, in order to improve the accuracy of malicious file detection and avoid blocking and killing of malicious files, which may damage virus characteristics and cause inaccurate killing result, before performing antivirus detection on file data, a data stream in a file transfer protocol control channel needs to be analyzed, whether transmission of the file data is completed is judged according to data obtained by analysis, and the integrity of the file data is evaluated. According to RFC959, when streaming mode transmission is used, the default is that connection is normally closed to indicate that data transmission is completed, so that after the data connection is closed, the server returns control information to tell the terminal equipment that data transmission is completed, and file detection is performed, and at this time, the file data is a complete file. And the file data is a data packet for transmitting the file data in the FTP protocol, and when the last data packet for transmitting the file data is received, the complete file data is sent to the antivirus engine for killing. And when judging whether the file data is complete or not, judging whether the data obtained by analysis contains end state code information or not, if so, considering that the data is analyzed to end control information, and taking all data packets received in the preset cache as complete file data.
And the antivirus detection module 20 is configured to perform antivirus detection on the file data in the preset cache under the condition that the ending control information is received, and obtain an antivirus result.
It can be understood that when the ending control information is analyzed, the file data in the preset cache is considered to be complete, and the antivirus engine can be used for carrying out antivirus detection on the file data to obtain an antivirus result. And after the antivirus engine processes the detection result, the structural body message of the detection result is packaged and sent to the protocol processing process, the antivirus result processing flow takes out the antivirus result message from the message queue, enters a processing logic, judges whether the antivirus result is toxic or not, indicates that the file data is a malicious file due to the toxicity, and carries out corresponding processing according to a configured strategy. The antivirus result includes that the file data is a malicious file and that the file data is not a malicious file.
And the processing module 30 is configured to process the file data in the server according to a preset policy when the antivirus result indicates that the file data is a malicious file.
In a specific implementation, the malicious file is file data carrying codes such as viruses, worms and trojan horses for executing a malicious task, and the preset policy is a processing policy preset according to attributes of various malicious files. Some malicious files are more harmful, the connection of the malicious files can be blocked, and if the malicious files are uploaded to a server, the malicious files in the server are deleted; and if some malicious files are not harmful or can be converted into normal files after being checked and killed, the data can be released to the malicious files, and conversation resources are released.
In this embodiment, when the terminal device transmits the file data to the server, the file data is released to the server, and the file data is stored in the preset cache, and when the end control information is received, the file data in the preset cache is subjected to antivirus detection to obtain an antivirus result, and the antivirus detection is performed based on the complete file, so that the detection rate and the accuracy are ensured to the greatest extent; and under the condition that the antivirus result is that the file data is a malicious file, processing the file data in the server according to a preset strategy, thereby avoiding the propagation of the malicious file and improving the file transmission safety.
Other embodiments or specific implementation manners of the malicious file detection apparatus according to the present invention may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third and the like do not denote any order, but rather the words first, second and the like may be interpreted as indicating any order.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be substantially implemented or a part contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (e.g., a Read Only Memory (ROM)/Random Access Memory (RAM), a magnetic disk, an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A malicious file detection method is characterized by comprising the following steps:
under the condition that the terminal equipment transmits file data to a server, putting the file data to the server, and storing the file data in a preset cache;
under the condition of receiving the ending control information, performing antivirus detection on the file data in the preset cache to obtain an antivirus result;
and processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
2. The malicious file detection method according to claim 1, wherein the end control information includes: and ending the state code information or normally closing the data connection between the terminal equipment and the server.
3. The method according to claim 2, wherein when the antivirus result indicates that the file data is a malicious file, processing the file data in the server according to a preset policy includes:
judging whether to block connection of the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file;
if the file data in the server is blocked, judging whether the file data contains an uploading mark;
and under the condition that the file data contains the uploading mark, generating a deleting instruction, and transmitting the deleting instruction to the server so that the server deletes the file data according to the deleting instruction.
4. The method according to claim 3, wherein when the antivirus result indicates that the file data is a malicious file, after determining whether to block connection of the file data in the server according to a preset policy, the method further comprises:
and if the file data is not blocked and connected, the file data is put through.
5. The method according to any one of claims 1 to 4, wherein in a case where a terminal device transmits file data to a server through a file transfer protocol control channel, before putting the file data through the server and storing the file data in a preset cache, the method further comprises:
and analyzing the data stream in the file transfer protocol control channel, and judging whether the terminal equipment transmits file data to the server or not according to the data obtained by analysis.
6. The method according to claim 5, wherein the analyzing the data stream in the file transfer protocol control channel, and determining whether the terminal device transmits the file data to the server according to the data obtained by the analyzing comprises:
analyzing the data stream in the file transfer protocol control channel;
under the condition of analyzing an uploading data stream in the direction from the terminal equipment to the server, analyzing whether an uploading control command exists in the uploading data stream or not;
judging whether a file transfer protocol initialization mark exists in the uploaded data stream or not under the condition that the uploading control command exists in the data stream;
if the file transmission protocol initialization mark exists, the data connection is determined to be established, and file data are transmitted to the server based on the data connection terminal equipment.
7. The malicious file detection method according to claim 6, wherein after parsing the data stream in the file transfer protocol control channel, the malicious file detection method further comprises:
under the condition of analyzing the response data stream from the server to the terminal equipment, judging whether the response data stream is data connection data or not;
if the response data stream is the data connection data, judging whether the data connection data is a handshake data packet of data connection;
judging whether the response data stream has a waiting data mark or not under the condition that the data connection data is a handshake data packet of data connection;
if the waiting data mark exists, the data connection is determined to be established, and the file data is transmitted to the server based on the data connection terminal equipment.
8. A malicious file detection apparatus, comprising:
the transmission module is used for putting the file data to a server and storing the file data in a preset cache under the condition that the terminal equipment transmits the file data to the server;
the antivirus detection module is used for carrying out antivirus detection on the file data in the preset cache under the condition of receiving the ending control information to obtain an antivirus result;
and the processing module is used for processing the file data in the server according to a preset strategy under the condition that the antivirus result is that the file data is a malicious file.
9. A firewall, characterized in that the firewall comprises: memory, a processor and a malicious file detection program stored on the memory and executable on the processor, the malicious file detection program, when executed by the processor, implementing the steps of the malicious file detection method according to any of claims 1 to 7.
10. A storage medium having stored thereon a malicious file detection program which, when executed by a processor, implements the steps of the malicious file detection method according to any one of claims 1 to 7.
CN202010404761.9A 2020-05-13 2020-05-13 Malicious file detection method and device, storage medium and firewall Pending CN111611584A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010404761.9A CN111611584A (en) 2020-05-13 2020-05-13 Malicious file detection method and device, storage medium and firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010404761.9A CN111611584A (en) 2020-05-13 2020-05-13 Malicious file detection method and device, storage medium and firewall

Publications (1)

Publication Number Publication Date
CN111611584A true CN111611584A (en) 2020-09-01

Family

ID=72200177

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010404761.9A Pending CN111611584A (en) 2020-05-13 2020-05-13 Malicious file detection method and device, storage medium and firewall

Country Status (1)

Country Link
CN (1) CN111611584A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209039A (en) * 2011-06-27 2011-10-05 成都市华为赛门铁克科技有限公司 Method and equipment for transmitting file
CN104424438A (en) * 2013-09-06 2015-03-18 华为技术有限公司 Anti-virus file detection method, anti-virus file detection device and network equipment
CN107707538A (en) * 2017-09-27 2018-02-16 广东欧珀移动通信有限公司 Data transmission method, device, mobile terminal and computer-readable recording medium
CN109981629A (en) * 2019-03-19 2019-07-05 杭州迪普科技股份有限公司 Antivirus protection method, apparatus, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209039A (en) * 2011-06-27 2011-10-05 成都市华为赛门铁克科技有限公司 Method and equipment for transmitting file
CN104424438A (en) * 2013-09-06 2015-03-18 华为技术有限公司 Anti-virus file detection method, anti-virus file detection device and network equipment
CN107707538A (en) * 2017-09-27 2018-02-16 广东欧珀移动通信有限公司 Data transmission method, device, mobile terminal and computer-readable recording medium
CN109981629A (en) * 2019-03-19 2019-07-05 杭州迪普科技股份有限公司 Antivirus protection method, apparatus, equipment and storage medium

Similar Documents

Publication Publication Date Title
US10432649B1 (en) System and method for classifying an object based on an aggregated behavior results
US9973531B1 (en) Shellcode detection
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
US10523609B1 (en) Multi-vector malware detection and analysis
CN107294982B (en) Webpage backdoor detection method and device and computer readable storage medium
US7844700B2 (en) Latency free scanning of malware at a network transit point
KR101607951B1 (en) Dynamic cleaning for malware using cloud technology
US9888016B1 (en) System and method for detecting phishing using password prediction
US10757135B2 (en) Bot characteristic detection method and apparatus
CN110336835B (en) Malicious behavior detection method, user equipment, storage medium and device
US8966630B2 (en) Generating and distributing a malware countermeasure
US8539581B2 (en) Efficient distribution of a malware countermeasure
JP2005128792A (en) Communication device, program and storage medium
US10027693B2 (en) Method, device and system for alerting against unknown malicious codes within a network environment
CN112600852B (en) Vulnerability attack processing method, device, equipment and storage medium
US9692783B2 (en) Method and apparatus for reporting a virus
CN111400712A (en) File virus checking and killing method, equipment, device and computer storage medium
CN110022319B (en) Attack data security isolation method and device, computer equipment and storage equipment
CN111259398B (en) Virus defense method, device, equipment and readable storage medium
US10757118B2 (en) Method of aiding the detection of infection of a terminal by malware
CN111611584A (en) Malicious file detection method and device, storage medium and firewall
CN112615867B (en) Data packet detection method and device
JP6955527B2 (en) Information processing equipment, information processing methods, and information processing programs
CN113965349B (en) Network safety protection system and method with safety detection function
US20230385415A1 (en) Arrangement and method of threat detection in a computer or computer network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination