CN114003907A - Malicious file detection method and device, computing equipment and storage medium - Google Patents
Malicious file detection method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN114003907A CN114003907A CN202111305669.8A CN202111305669A CN114003907A CN 114003907 A CN114003907 A CN 114003907A CN 202111305669 A CN202111305669 A CN 202111305669A CN 114003907 A CN114003907 A CN 114003907A
- Authority
- CN
- China
- Prior art keywords
- file
- size
- executable file
- detected
- executable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/174—Redundancy elimination performed by the file system
- G06F16/1744—Redundancy elimination performed by the file system using compression, e.g. sparse files
Abstract
The invention provides a malicious file detection method, a malicious file detection device, computing equipment and a storage medium, wherein the method comprises the following steps: when detecting that an executable file is received, determining the size of the executable file and the size of a compression package corresponding to the executable file; and determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file. According to the scheme, whether the executable file is a malicious file or not is detected by using a file compression principle, the size of the executable file is not limited, and whether the executable file is a malicious file or not can be detected by the scheme no matter the size of the executable file, so that the safety of equipment is improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of security, in particular to a malicious file detection method and device, computing equipment and a storage medium.
Background
With the rapid development and wide application of internet technology, the maintenance of network security is severely challenged. Especially, malicious behaviors such as computer viruses and hacking attack bring a very big threat to the security of the system. Malicious behaviors are often transmitted to a device in the form of malicious files that are executed on the device to effect an attack on the device. Therefore, a file received from the outside by the device needs to be detected to determine whether the file is a malicious file.
At present, after a device receives a file from the outside, the file can be detected generally by means of sandbox testing, antivirus software scanning, file uploading to a virus checking website for virus checking and the like. However, these detection methods have limitations on the file size, and when the file size exceeds the limitations, the detection cannot be performed, and a result that no abnormality is found in the file is returned. If the attacker increases the size of the malicious file beyond the limit, the detection of the malicious file can be avoided.
Therefore, it is desirable to provide a method for malicious file detection of large files.
Disclosure of Invention
Based on the problem that malicious files cannot be effectively detected on a large file by a detection means in the prior art, the embodiment of the invention provides a malicious file detection method, a malicious file detection device, computing equipment and a storage medium, which can be used for detecting the malicious files on the large file so as to improve the safety of the equipment.
In a first aspect, an embodiment of the present invention provides a malicious file detection method, including:
when detecting that an executable file is received, determining the size of the executable file and the size of a compression package corresponding to the executable file;
and determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file.
Preferably, before the detecting of the receiving of the executable file, the method further comprises:
detecting a received file to be detected;
judging whether the format of the file to be detected is a compressed packet format or not; if the file is in the compressed package format, reading the extension name of each file in the file to be detected, and determining whether an executable file exists or not; and if the file to be detected is not in the compressed package format, determining whether the file to be detected is an executable file according to the extension name of the file to be detected.
Preferably, the determining the size of the executable file and the size of the compressed packet corresponding to the executable file includes:
and if the format of the file to be detected is the format of a compressed package, reading the executable file in the file to be detected, and determining the size of the executable file and the size of the compressed package corresponding to the executable file.
Preferably, the determining the size of the compressed packet corresponding to the executable file comprises:
determining the total size of all compressed files in the file to be detected;
judging whether the ratio of the size of the executable file to the total size is larger than a first threshold value or not, and if so, determining the size of the file to be detected as the size of a compressed packet corresponding to the executable file; and if not, decompressing the file to be detected to obtain the executable file, compressing the executable file to obtain a compressed packet, and determining the size of the compressed packet to be the size of the compressed packet corresponding to the executable file.
Preferably, the determining the size of the executable file and the size of the compressed packet corresponding to the executable file includes:
and if the format of the file to be detected is not the compression package format, determining the size of the file to be detected as the size of the executable file, compressing the file to be detected to obtain a compression package, and determining the size of the obtained compression package as the size of the compression package corresponding to the executable file.
Preferably, the determining whether the executable file is a malicious file according to a proportional relationship between the size of the executable file and the size of the compressed packet corresponding to the executable file includes:
and judging whether the ratio of the size of the compression packet corresponding to the executable file to the size of the executable file is smaller than a second threshold value, if so, determining that the executable file is a malicious file.
Preferably, after the determining whether the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is smaller than a second threshold, the method further includes:
if the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is not smaller than a second threshold, further judging whether the size of the executable file is smaller than a third threshold, if so, performing hash detection on the executable file, and determining whether the executable file is a malicious file.
In a second aspect, an embodiment of the present invention further provides a malicious file detection apparatus, including:
the file size determining unit is used for determining the size of the executable file and the size of a compression packet corresponding to the executable file when detecting that the executable file is received;
and the malicious file determining unit is used for determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file.
In a third aspect, an embodiment of the present invention further provides a computing device, including a memory and a processor, where the memory stores a computer program, and the processor, when executing the computer program, implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a malicious file detection method, a malicious file detection device, computing equipment and a storage medium. Therefore, whether the executable file is a malicious file or not is detected by the file compression principle, the size of the executable file is not limited, and whether the executable file is a malicious file or not can be detected by the method regardless of the size of the executable file, so that the safety of equipment can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a malicious file detection method according to an embodiment of the present invention;
FIG. 2 is a diagram of a hardware architecture of a computing device according to an embodiment of the present invention;
FIG. 3 is a block diagram of a malicious file detection apparatus according to an embodiment of the present invention;
fig. 4 is a block diagram of another malicious file detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As described above, after the device receives a file from the outside, in order to ensure the security of the device and prevent a malicious file from running on the device, the file needs to be detected. One of the ways is to run the file in a sandbox environment, and the sandbox records all activities of the file in the running process, so as to determine whether the file has malicious behaviors. In another way, the files are scanned by antivirus software or uploaded to a virus check website to detect whether the files are malicious files. However, both of these two methods have limitations on the file size, and when the file size exceeds the limitations, the detection cannot be performed, and a result that no abnormality is found in the file is returned. The attacker utilizes the limit to fill a large number of repeated 0 bytes in the malicious file, and the size of the malicious file is increased to be more than the limit size, so that the detection of sandboxes, antivirus software and virus checking websites is avoided.
Considering that a malicious file is an executable file and the size of the malicious file does not exceed 100MB, an attacker generally fills the malicious file with a large number of repeated 0 bytes to increase the size of the malicious file. The file compression principle is considered to be that a dictionary file with the same byte is established by searching repeated bytes in the file, and a code is used for representing the same byte in the dictionary file, so that the aim of reducing the file is fulfilled. If the malicious file and the non-malicious file with the same size are respectively compressed, the size of the compressed packet of the malicious file is far smaller than that of the non-malicious file because the malicious file comprises a large number of repeated 0 bytes. Therefore, the ratio of the sizes of the file before and after compression can be used to determine whether the file is a malicious file.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a malicious file detection method, including:
and step 102, determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file.
In the embodiment of the invention, when the device is detected to receive the executable file, the size of the executable file and the size of the compressed packet corresponding to the executable file are determined, and whether the executable file is a malicious file is determined by utilizing the proportional relation of the executable file and the compressed packet. Therefore, whether the executable file is a malicious file or not is detected by the file compression principle, the size of the executable file is not limited, and whether the executable file is a malicious file or not can be detected by the method regardless of the size of the executable file, so that the safety of equipment can be improved.
The manner in which the various steps shown in fig. 1 are performed is described below.
First, in step 100, when it is detected that an executable file is received, the size of the executable file and the size of a compressed packet corresponding to the executable file are determined.
Receiving a file refers to a device receiving a file from outside, and generally, a manner of receiving a file from outside by a device may include: 1. downloading a file from a website; 2. transmitting the file by using a communication tool; 3. a file is copied from the mobile storage device.
No matter which method is used by the device to receive the file from the outside, the file needs to be detected in order to ensure the security of the device.
In an embodiment of the present invention, in consideration of the fact that a malicious file attacks a device, the malicious file is executed on the device, and thus the malicious file is generally an executable file.
Then before this step 100, it may include: detecting a received file to be detected; judging whether the format of the file to be detected is a compressed packet format or not; if the file is in the compressed package format, reading the extension name of each compressed file included in the file to be detected, and determining whether an executable file exists or not; and if the file to be detected is not in the compressed package format, determining whether the file to be detected is an executable file according to the extension name of the file to be detected.
Wherein, the extension of the executable file may include: exe,. sys,. com,. dll, etc. Thus, in determining whether a file is an executable file, it can be determined by whether the extension of the file is one of. exe,. sys,. com, and. dll. Whether the file is an executable file or not is determined by means of the file extension, so that the accuracy of a determination result can be improved, and the determination speed can be increased.
When the executable file is detected to be a malicious file, the size of the executable file and the size of the compressed packet corresponding to the executable file need to be utilized, and when the sizes of the executable file and the compressed packet are determined, the sizes are related to whether the format of the file to be detected is the format of the compressed packet or not. The following description will be made on the way of determining the size of the file to be detected in the step when the file to be detected is in a compressed packet format or a format other than the compressed packet format.
In the first case, the format of the file to be detected is that of a compressed package.
In this case, since the file to be detected is a compressed package and the executable file is located in the file to be detected, the size of the executable file is determined in the following manner: and decompressing or reading the executable file in the file to be detected, and determining the size of the executable file.
In this case, since the file to be detected is a compressed packet, the size of the file to be detected can be directly determined as the size of the compressed packet corresponding to the executable file.
Considering that the file to be detected may include other files besides the executable file, and the size of the file to be detected reflects the size of all compressed files included therein after compression, if the other files are large, the size of the file to be detected is directly determined as the size of the compressed packet corresponding to the executable file, which may affect the detection result. In an embodiment of the present invention, the size of the compressed packet corresponding to the executable file may be determined according to the size of the executable file.
Specifically, when determining the size of the compressed package corresponding to the executable file, the method may include: determining the total size of all compressed files in the file to be detected; judging whether the ratio of the size of the executable file to the total size is larger than a first threshold value or not, and if so, determining the size of the file to be detected as the size of a compressed packet corresponding to the executable file; and if not, decompressing the file to be detected to obtain an executable file, compressing the executable file to obtain a compressed packet, and determining the size of the compressed packet to be the size of the compressed packet corresponding to the executable file.
When the total size of all the compressed files in the files to be detected is determined, the size of each compressed file can be determined in a mode of reading each compressed file in the files to be detected, and the sum of the sizes of the compressed files is determined as the total size of all the compressed files.
The first threshold value may be set based on an empirical value. For example, the first threshold is 0.8, if the ratio of the size of the executable file to the total size is greater than 0.8, it indicates that the executable file has a large ratio in all compressed files, and the size of the file to be detected may represent the size of the compressed packet corresponding to the executable file. If the ratio of the size of the executable file to the total size is not greater than 0.8, it indicates that the occupation ratio of the executable file in all the compressed files is small, and the size of the file to be detected may not represent the size of the compressed packet corresponding to the executable file, at this time, the executable file needs to be decompressed from the file to be detected, then the executable file is compressed, and the size of the compressed packet obtained after compression is determined as the size of the compressed packet corresponding to the executable file.
In summary, when the format of the file to be detected is the format of the compressed packet, the size of the compressed packet corresponding to the executable file needs to be determined according to the size of the executable file, so that the accuracy of determining the size of the compressed packet corresponding to the executable file under the condition is ensured, and the malicious file detection result is further improved.
In the second case, the format of the file to be detected is not that of a compressed package.
In this case, since the format of the file to be detected is not the compressed package format, it indicates that the file to be detected is the executable file, and at this time, the size of the file to be detected can be directly determined as the size of the executable file.
In the embodiment of the present invention, the determining manner of the size of the compressed packet corresponding to the executable file includes: and compressing the file to be detected to obtain a compressed packet, and determining the size of the obtained compressed packet as the size of the compressed packet corresponding to the executable file.
In summary, under the condition that the format of the file to be detected is not the format of the compressed packet, the size of the executable file and the size of the compressed packet corresponding to the executable file are both accurate, and the malicious file detection result is ensured to be more accurate.
Then, in step 102, it is determined whether the executable file is a malicious file according to the proportional relationship between the size of the executable file and the size of the compressed packet corresponding to the executable file.
According to the file compression principle, the malicious files and the non-malicious files with the same size are respectively compressed, and because the malicious files comprise a large number of repeated 0 bytes, the size of the compressed packet of the malicious files is far smaller than that of the non-malicious files, namely the compression rate of the malicious files is far larger than that of the non-malicious files. Thus, a second threshold may be set for comparison with the compression rate of the executable file.
In one embodiment of the present invention, the second threshold may be determined by a maximum of a limited size of the file by a sandbox, antivirus software, antivirus website, etc., and a size of the malicious file. For example, if the file size limit of a sandbox, antivirus software, antivirus website, etc. is 650MB, and the actual size of the malicious file does not exceed 100MB, the second threshold value may be set to 100/650-0.15.
Then this step 102 may include: and judging whether the ratio of the size of the compression packet corresponding to the executable file to the size of the executable file is smaller than a second threshold value, if so, determining that the executable file is a malicious file.
For example, some hacker organization masquerades a phishing website as a pirated software download website, inducing victims to actively download. The download results in a compressed packet of 11M size. The compressed packet is decompressed resulting in a 697MB size executable file. Scanning by using antivirus software, automatically skipping because the size of the file exceeds the limit of 650MB, and displaying that no abnormity is found; calculating the hash of the file, searching on a Virus inspection website Virus Total, and displaying the file which is not matched; the operation cannot be normally performed even when the container is placed in a sandbox. Therefore, if the calculated compression rate 11/697 is 0.015 and is much smaller than the second threshold 0.15, it can be determined that the executable file in the compressed package is a malicious file.
In an embodiment of the present invention, if the determination result in this step is that the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is not less than the second threshold, in order to ensure system security and prevent malicious files from being missed, the method may further include: and judging whether the size of the executable file is smaller than a third threshold value, if so, carrying out hash detection on the executable file, and determining whether the executable file is a malicious file.
The third threshold is set according to the size of the file limit of the sandbox, antivirus software, virus checking website, etc., and the size of the file limit may be determined as the third threshold. For example, the third threshold is 650 MB. If the size of the executable file is smaller than the third threshold, when performing hash detection on the executable file, antivirus software or a virus-checking website can be used to determine whether the hash value identical to the hash value of the executable file can be found, if so, the executable file is indicated as a malicious file, and if not, the executable file is indicated as a non-malicious file.
As shown in fig. 2 and fig. 3, an embodiment of the present invention provides a malicious file detection apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 2, a hardware architecture diagram of a computing device in which a malicious file detection apparatus according to an embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 2, the computing device in which the apparatus is located in the embodiment may also generally include other hardware, such as a forwarding chip responsible for processing a packet, and the like. Taking a software implementation as an example, as shown in fig. 3, as a logical apparatus, a CPU of a computing device in which the apparatus is located reads a corresponding computer program in a non-volatile memory into a memory to run. The malicious file detection device provided by the embodiment comprises:
a file size determining unit 301, configured to determine, when detecting that an executable file is received, a size of the executable file and a size of a compressed packet corresponding to the executable file;
a malicious file determining unit 302, configured to determine whether the executable file is a malicious file according to a proportional relationship between the size of the executable file and the size of the compressed packet corresponding to the executable file.
In an embodiment of the present invention, referring to fig. 4, the malicious file detection apparatus may further include:
a detecting unit 303, configured to detect a received to-be-detected file;
a determining and processing unit 304, configured to determine whether the format of the file to be detected is a compressed packet format; if the file is in the compressed package format, reading the extension name of each file in the file to be detected, and determining whether an executable file exists or not; and if the file to be detected is not in the compressed package format, determining whether the file to be detected is an executable file according to the extension name of the file to be detected.
In an embodiment of the present invention, when determining the size of the executable file and the size of the compressed packet corresponding to the executable file, the file size determining unit 301 is specifically configured to, if the format of the to-be-detected file is the format of the compressed packet, read the executable file in the to-be-detected file, and determine the size of the executable file and the size of the compressed packet corresponding to the executable file.
In an embodiment of the present invention, when determining, according to the size of the executable file, the size of the compressed packet corresponding to the executable file, the file size determining unit 301 is specifically configured to: determining the total size of all compressed files in the file to be detected; judging whether the ratio of the size of the executable file to the total size is larger than a first threshold value or not, and if so, determining the size of the file to be detected as the size of a compressed packet corresponding to the executable file; and if not, decompressing the file to be detected to obtain the executable file, compressing the executable file to obtain a compressed packet, and determining the size of the compressed packet to be the size of the compressed packet corresponding to the executable file.
In an embodiment of the present invention, when determining the size of the executable file and the size of the compressed packet corresponding to the executable file, the file size determining unit 301 is specifically configured to: and if the format of the file to be detected is not the compression package format, determining the size of the file to be detected as the size of the executable file, compressing the file to be detected to obtain a compression package, and determining the size of the obtained compression package as the size of the compression package corresponding to the executable file.
In an embodiment of the present invention, the malicious file determining unit 302 is specifically configured to: and judging whether the ratio of the size of the compression packet corresponding to the executable file to the size of the executable file is smaller than a second threshold value, if so, determining that the executable file is a malicious file.
In an embodiment of the present invention, after the determining whether the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is smaller than the second threshold, the malicious file determining unit 302 is further configured to: if the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is not smaller than a second threshold, further judging whether the size of the executable file is smaller than a third threshold, if so, performing hash detection on the executable file, and determining whether the executable file is a malicious file.
It is to be understood that the structure shown in the embodiment of the present invention does not specifically limit a malicious file detection apparatus. In other embodiments of the invention, a malicious file detection apparatus may include more or fewer components than shown, or combine certain components, or split certain components, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides a computing device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to realize the malicious file detection method in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program causes the processor to execute a malicious file detection method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the invention, when the device is detected to receive the executable file, the size of the executable file and the size of the compressed packet corresponding to the executable file are determined, and whether the executable file is a malicious file is determined by utilizing the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file. Therefore, whether the executable file is a malicious file or not is detected by the file compression principle, the size of the executable file is not limited, and whether the executable file is a malicious file or not can be detected by the method regardless of the size of the executable file, so that the safety of equipment can be improved.
2. In one embodiment of the invention, the scheme does not need to detect malicious codes based on characteristics, and has certain universality; the detection method only determines whether the file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file, and occupies less internal memory, so that the influence on the system performance is less, the system safety of a user can be effectively protected, and the malicious file can be prevented from being executed when the user is attacked by phishing mails.
3. In one embodiment of the invention, under the condition that the format of the file to be detected is a compressed package format, the size of the executable file is determined by reading the executable file in the file to be detected; the size of the compression packet corresponding to the executable file needs to be determined according to the size of the executable file, so that the accuracy of determining the size of the compression packet corresponding to the executable file under the condition is ensured, and the accuracy of detecting the malicious file is improved.
4. In an embodiment of the invention, under the condition that the format of the file to be detected is not the compressed packet format, the size of the executable file and the size of the compressed packet corresponding to the executable file are both accurate, so that the malicious file detection result is ensured to be more accurate.
5. In an embodiment of the invention, after the executable file is determined to be a non-malicious file by utilizing the proportional relationship between the size of the executable file and the size of the compressed packet corresponding to the executable file, the hash detection is performed on the executable file, so that the malicious file can be prevented from being missed, and the system security is further improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A malicious file detection method, comprising:
when detecting that an executable file is received, determining the size of the executable file and the size of a compression package corresponding to the executable file;
and determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file.
2. The method of claim 1, prior to said detecting the receipt of the executable file, further comprising:
detecting a received file to be detected;
judging whether the format of the file to be detected is a compressed packet format or not; if the file is in the compressed package format, reading the extension name of each file in the file to be detected, and determining whether an executable file exists or not; and if the file to be detected is not in the compressed package format, determining whether the file to be detected is an executable file according to the extension name of the file to be detected.
3. The method of claim 2, wherein determining the size of the executable file and the size of the corresponding compressed packet of the executable file comprises:
and if the format of the file to be detected is the format of a compressed package, reading the executable file in the file to be detected, and determining the size of the executable file and the size of the compressed package corresponding to the executable file.
4. The method of claim 3, wherein determining the size of the compressed package for the executable file comprises:
determining the total size of all compressed files in the file to be detected;
judging whether the ratio of the size of the executable file to the total size is larger than a first threshold value or not, and if so, determining the size of the file to be detected as the size of a compressed packet corresponding to the executable file; and if not, decompressing the file to be detected to obtain the executable file, compressing the executable file to obtain a compressed packet, and determining the size of the compressed packet to be the size of the compressed packet corresponding to the executable file.
5. The method of claim 2, wherein determining the size of the executable file and the size of the corresponding compressed packet of the executable file comprises:
and if the format of the file to be detected is not the compression package format, determining the size of the file to be detected as the size of the executable file, compressing the file to be detected to obtain a compression package, and determining the size of the obtained compression package as the size of the compression package corresponding to the executable file.
6. The method according to any one of claims 1 to 5, wherein the determining whether the executable file is a malicious file according to a proportional relationship between the size of the executable file and the size of the compressed packet corresponding to the executable file comprises:
and judging whether the ratio of the size of the compression packet corresponding to the executable file to the size of the executable file is smaller than a second threshold value, if so, determining that the executable file is a malicious file.
7. The method of claim 6, after the determining whether the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is smaller than a second threshold, further comprising:
if the ratio of the size of the compressed packet corresponding to the executable file to the size of the executable file is not smaller than a second threshold, further judging whether the size of the executable file is smaller than a third threshold, if so, performing hash detection on the executable file, and determining whether the executable file is a malicious file.
8. A malicious file detection apparatus, comprising:
the file size determining unit is used for determining the size of the executable file and the size of a compression packet corresponding to the executable file when detecting that the executable file is received;
and the malicious file determining unit is used for determining whether the executable file is a malicious file or not according to the proportional relation between the size of the executable file and the size of the compressed packet corresponding to the executable file.
9. A computing device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111305669.8A CN114003907A (en) | 2021-11-05 | 2021-11-05 | Malicious file detection method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111305669.8A CN114003907A (en) | 2021-11-05 | 2021-11-05 | Malicious file detection method and device, computing equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114003907A true CN114003907A (en) | 2022-02-01 |
Family
ID=79928105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111305669.8A Pending CN114003907A (en) | 2021-11-05 | 2021-11-05 | Malicious file detection method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114003907A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116578536A (en) * | 2023-07-12 | 2023-08-11 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
-
2021
- 2021-11-05 CN CN202111305669.8A patent/CN114003907A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116578536A (en) * | 2023-07-12 | 2023-08-11 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
| CN116578536B (en) * | 2023-07-12 | 2023-09-22 | 北京安天网络安全技术有限公司 | File detection method, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11062029B2 (en) | File sanitization technologies | |
| US9953162B2 (en) | Rapid malware inspection of mobile applications | |
| US10192052B1 (en) | System, apparatus and method for classifying a file as malicious using static scanning | |
| US8635700B2 (en) | Detecting malware using stored patterns | |
| US8356354B2 (en) | Silent-mode signature testing in anti-malware processing | |
| JP6277224B2 (en) | System and method for detecting harmful files executable on a virtual stack machine | |
| EP1560112B1 (en) | Detection of files that do not contain executable code | |
| RU2536664C2 (en) | System and method for automatic modification of antivirus database | |
| RU2491615C1 (en) | System and method of creating software detection records | |
| US20130152200A1 (en) | Predictive Heap Overflow Protection | |
| RU2573265C2 (en) | Method of detecting false positive results of scanning files for malware | |
| US10489586B2 (en) | System and method of detecting anomalous events | |
| CN114003907A (en) | Malicious file detection method and device, computing equipment and storage medium | |
| US9239907B1 (en) | Techniques for identifying misleading applications | |
| JP7166969B2 (en) | Router attack detection device, router attack detection program, and router attack detection method | |
| CN113132421B (en) | File detection method, device, terminal and storage medium | |
| KR101327865B1 (en) | Homepage infected with a malware detecting device and method | |
| KR20160112744A (en) | document security system and security method | |
| US8918873B1 (en) | Systems and methods for exonerating untrusted software components | |
| US11886584B2 (en) | System and method for detecting potentially malicious changes in applications | |
| RU2774042C1 (en) | System and method for identifying potentially malicious changes in an application | |
| EP4095727A1 (en) | System and method for detecting potentially malicious changes in applications | |
| RU2757265C1 (en) | System and method for assessing an application for the presence of malware | |
| CN113127418A (en) | File detection method, device, terminal and storage medium | |
| JP6498413B2 (en) | Information processing system, information processing apparatus, control server, generation server, operation control method, and operation control program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |