CN114003914A - File security detection method and device, electronic equipment and storage medium - Google Patents
File security detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114003914A CN114003914A CN202111644983.9A CN202111644983A CN114003914A CN 114003914 A CN114003914 A CN 114003914A CN 202111644983 A CN202111644983 A CN 202111644983A CN 114003914 A CN114003914 A CN 114003914A
- Authority
- CN
- China
- Prior art keywords
- searching
- file
- detected
- killing
- killing result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The embodiment of the application provides a file security detection method, a file security detection device, electronic equipment and a storage medium, wherein the method comprises the following steps: receiving mirror image flow of a server deployed at an enterprise communication gateway; generating a file to be detected according to the mirror image flow; the method comprises the steps of obtaining a first local searching and killing result of a file to be detected, a second searching and killing result of a cloud antivirus engine and a third searching and killing result of a cloud sandbox, and obtaining the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result. According to the above embodiment, the accuracy of virus detection can be improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting security of a file, an electronic device, and a computer-readable storage medium.
Background
In recent years, viruses frequently outbreak, the main target of attack is changed from a personal end to an enterprise end, and virus searching and killing in the enterprise end is very important. In the related art, a virus detection program is installed at an individual side, and the individual side performs virus killing by operating the virus detection program.
Firstly, the mode of local antivirus engine killing cannot cover all terminals, and because the management and control of all external devices cannot be realized in some enterprises, it cannot be guaranteed that all devices are installed with effective antivirus software. Secondly, with the popularity and progress of virus antivirus technology, as the local antivirus engine feature library is single, the missing report rate of the antivirus engine only using the local antivirus engine to search and kill the virus is also continuously improved, and in practical application and test, the virus subjected to antivirus processing can not be effectively detected by the local antivirus engine.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting security of a file, an electronic device, and a storage medium, which can effectively detect a virus file.
In a first aspect, an embodiment of the present application provides a method for detecting security of a file, including:
receiving mirror image flow of a server deployed at an enterprise communication gateway;
generating a file to be detected according to the mirror image flow;
the method comprises the steps of obtaining a first local searching and killing result of a file to be detected, a second searching and killing result of a cloud antivirus engine and a third searching and killing result of a cloud sandbox, and obtaining the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
In the implementation process, the server is deployed at the enterprise communication gateway, so that the mirror flow in the enterprise communication process can be acquired under the condition that the working efficiency of the enterprise internal communication and the working efficiency of the internal equipment are not influenced. And the mirror image file is generated according to the mirror image flow, so that the detection of the file transmitted in the enterprise communication process can be realized. The safety of the file to be detected is obtained according to the first searching and killing result, the second searching and killing result and the third searching and killing result by obtaining the first searching and killing result in the local, the second searching and killing result of the cloud end virus killing engine and the third searching and killing result of the cloud end sandbox.
Further, after the step of generating the file to be detected according to the mirror image flow, the method further includes:
acquiring an MD5 value of the file to be detected;
judging whether the file to be detected is in a white list or not according to the MD5 value of the file to be detected;
and if so, judging the file to be detected as a safe file.
In the implementation process, whether the file to be detected is a safe file can be quickly judged by the MD5 value and the white list of the file to be detected, if the file to be detected is the safe file, the file to be detected is not further detected, the time spent by the filtering algorithm is shorter than that spent by the virus checking and killing process, the subsequent file to be detected which needs virus checking and killing is reduced by the filtering algorithm, and the detection efficiency of the file to be detected can be improved.
Further, the step of obtaining a first local searching and killing result, a second searching and killing result of the cloud antivirus engine and a third searching and killing result of the cloud multi-engine scanning of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result to obtain the security of the file to be detected includes:
acquiring a first searching and killing record of the file to be detected in the local area;
judging whether the first searching and killing record is a malicious result;
if yes, sending out alarm information;
if not, scanning the file to be detected by using a local antivirus engine to obtain the first searching and killing result;
judging whether the first searching and killing result is a malicious result or not;
if yes, sending out alarm information;
and if not, acquiring the second searching and killing result and the third searching and killing result, and acquiring the safety of the file to be detected according to the second searching and killing result and the third searching and killing result.
In the implementation process, if the first local searching and killing result is a malicious result, the file to be detected is indicated to be a malicious file, so that the alarm information can be directly sent without performing a subsequent detection process on the file to be detected. Based on the embodiment, the detection efficiency of the file to be detected is improved.
Further, the step of obtaining the second and third checking and killing results and obtaining the security of the file to be detected according to the second and third checking and killing results includes:
acquiring a second searching and killing record of the file to be detected in a cloud antivirus engine;
judging whether the second searching and killing record is a malicious result;
if yes, sending out alarm information;
if not, compressing the file to be detected, transmitting the file to be detected to the cloud antivirus engine for detection, and acquiring the second searching and killing result;
judging whether the second searching and killing result is a malicious result or not;
if yes, sending out alarm information;
and if not, acquiring the third searching and killing result, and acquiring the safety of the file to be detected according to the third searching and killing result.
In the implementation process, if the second searching and killing result in the cloud is a malicious result, the file to be detected is a malicious file, so that the alarm information can be directly sent without performing a subsequent virus searching and killing process. Based on the embodiment, the detection efficiency of the file to be detected is improved.
Further, the step of obtaining the third searching and killing result and obtaining the security of the file to be detected according to the third searching and killing result includes:
and transmitting the file to be detected to a cloud sandbox for operation, acquiring the third searching and killing result, and acquiring the security of the file to be detected according to the third searching and killing result.
In the implementation process, the file to be detected is transmitted to the cloud sandbox to operate, so that the security of the file to be detected can be rapidly acquired.
Further, after the steps of obtaining a first local searching and killing result of the file to be detected, a second searching and killing result of the cloud antivirus engine and a third searching and killing result of the cloud sandbox, and obtaining the security of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result, the method further comprises the following steps:
and storing the security of the file to be detected locally.
In the implementation process, the subsequent files to be detected can be conveniently detected, and the alarm information is sent. Particularly, the security of the file to be detected is stored locally in the embodiment of the application, and based on the above embodiment, if the same file is encountered next time, the security to be detected can be detected without passing through the cloud.
In a second aspect, an embodiment of the present application provides an apparatus for detecting security of a document, where the apparatus includes:
the receiving module is used for receiving the mirror image flow of the server deployed at the enterprise communication gateway;
the generating module is used for generating the file to be detected according to the mirror image flow;
the detection module is used for acquiring a first local searching and killing result, a second searching and killing result and a third searching and killing result of the file to be detected in the cloud poisoning engine, and acquiring the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
In the implementation process, the server is deployed at the enterprise communication gateway, so that the mirror flow in the enterprise communication process can be acquired under the condition that the working efficiency of the enterprise internal communication and the working efficiency of the internal equipment are not influenced. And the mirror image file is generated according to the mirror image flow, so that the detection of the file transmitted in the enterprise communication process can be realized. The safety of the file to be detected is obtained according to the first searching and killing result, the second searching and killing result and the third searching and killing result by obtaining the first searching and killing result in the local, the second searching and killing result of the cloud antivirus engine and the third searching and killing result of the cloud sandbox.
Further, the apparatus further comprises:
the acquisition module is used for acquiring the MD5 value of the file to be detected;
the judging module is used for judging whether the file to be detected is in a white list or not according to the MD5 value of the file to be detected; and if so, judging the file to be detected as a safe file.
In the implementation process, whether the file to be detected is a safe file can be quickly judged by the MD5 value and the white list of the file to be detected, and the detection efficiency of the file to be detected can be improved.
In a third aspect, an electronic device provided in an embodiment of the present application includes: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any of the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having instructions stored thereon, which, when executed on a computer, cause the computer to perform the method according to any one of the first aspect.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the above-described techniques.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for detecting security of a document according to an embodiment of the present application;
fig. 2 is a schematic flow chart illustrating security of a file obtained according to a first searching and killing result, a second searching and killing result, and a third searching and killing result provided in the embodiment of the present application;
fig. 3 is a schematic flowchart illustrating security of a file obtained according to a second and third searching and killing result according to the embodiment of the present application;
FIG. 4 is a schematic structural diagram of a document security detection apparatus according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, an embodiment of the present application provides a method for detecting security of a file, including:
s1: receiving mirror image flow of a server deployed at an enterprise communication gateway;
s2: generating a file to be detected according to the mirror image flow;
s3: the method comprises the steps of obtaining a first local searching and killing result of a file to be detected, a second searching and killing result of a cloud antivirus engine and a third searching and killing result of a cloud sandbox, and obtaining the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
In the implementation process, the server is deployed at the enterprise communication gateway, so that the mirror flow in the enterprise communication process can be acquired under the condition that the working efficiency of the enterprise internal communication and the working efficiency of the internal equipment are not influenced. And the mirror image file is generated according to the mirror image flow, so that the detection of the file transmitted in the enterprise communication process can be realized. The safety of the file to be detected is obtained according to the first searching and killing result, the second searching and killing result and the third searching and killing result by obtaining the first searching and killing result in the local, the second searching and killing result of the cloud antivirus engine and the third searching and killing result of the cloud sandbox.
Further, after S1, the method further includes: acquiring an MD5 value of a file to be detected; judging whether the file to be detected is in a white list or not according to the MD5 value of the file to be detected; and if so, judging the file to be detected as a safe file.
In the implementation process, whether the file to be detected is a safe file can be quickly judged by the MD5 value and the white list of the file to be detected, and the detection efficiency of the file to be detected can be improved.
Further, referring to fig. 2, S3 includes the following steps:
s31: acquiring a first searching and killing record of a file to be detected in the local area;
s32: judging whether the first checking and killing record is a malicious result, if so, executing S33, and if not, executing S34;
s33: sending out alarm information;
s34: scanning a file to be detected by using a local antivirus engine to obtain a first searching and killing result;
s35: judging whether the first checking and killing result is a malicious result, if so, executing S33, otherwise, executing S36;
s36: and acquiring a second searching and killing result and a third searching and killing result, and acquiring the safety of the file to be detected according to the second searching and killing result and the third searching and killing result.
In the implementation process, if the first local searching and killing result is a malicious result, the file to be detected is a malicious file, and therefore the alarm information can be directly sent out. Based on the embodiment, the detection efficiency of the file to be detected is improved.
Further, referring to fig. 3, S36 includes the following sub-steps:
s361: acquiring a second searching and killing record of the file to be detected in the cloud antivirus engine;
in the above embodiment, a second checking and killing record may be obtained according to the MD5 value of the file to be detected, and the cloud stores the second checking and killing record with the MD5 value of the file to be detected as an index;
s362: judging whether the second searching and killing record is a malicious result; if yes, execute 363; if not, 364 is executed;
s363: sending out alarm information;
s364: compressing the file to be detected, transmitting the file to a cloud antivirus engine for detection, and acquiring a second searching and killing result;
s365: judging whether the second searching and killing result is a malicious result, if so, executing S363, otherwise, executing S366;
s366: and acquiring a third searching and killing result, and acquiring the safety of the file to be detected according to the third searching and killing result.
In the implementation process, if the second searching and killing result in the cloud is a malicious result, the file to be detected is a malicious file, and therefore the alarm information can be directly sent out. Based on the embodiment, the detection efficiency of the file to be detected is improved.
Further, S367, includes: and transmitting the file to be detected to a cloud sandbox for operation, acquiring a third searching and killing result, and acquiring the security of the file to be detected according to the third searching and killing result.
In the implementation process, the file to be detected is transmitted to the cloud sandbox to operate, so that the security of the file to be detected can be rapidly acquired.
Further, after S3, the method further includes: and storing the security of the file to be detected locally.
In the embodiment, the subsequent files to be detected can be conveniently detected, and the alarm information is sent. Particularly, the security of the file to be detected is stored locally in the embodiment of the application, and based on the above embodiment, if the same file is encountered next time, the security to be detected can be detected without passing through the cloud.
Example 2
Referring to fig. 4, an embodiment of the present application provides a device for detecting security of a document, including:
the system comprises a receiving module 1, a service module and a service module, wherein the receiving module is used for receiving mirror image flow of a server deployed at an enterprise communication gateway;
the generation module 2 is used for generating the file to be detected according to the mirror image flow;
the detection module 3 is used for acquiring a first local searching and killing result of the file to be detected, a second searching and killing result of the cloud antivirus engine and a third searching and killing result of the cloud sandbox, and acquiring the security of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
In the implementation process, the server is deployed at the enterprise communication gateway, so that the mirror flow in the enterprise communication process can be acquired under the condition that the working efficiency of the enterprise internal communication and the working efficiency of the internal equipment are not influenced. And the mirror image file is generated according to the mirror image flow, so that the detection of the file transmitted in the enterprise communication process can be realized. The safety of the file to be detected is obtained according to the first searching and killing result, the second searching and killing result and the third searching and killing result by obtaining the first searching and killing result in the local, the second searching and killing result of the cloud antivirus engine and the third searching and killing result of the cloud sandbox.
In one possible embodiment, the apparatus further comprises:
the acquisition module is used for acquiring the MD5 value of the file to be detected;
the judging module is used for judging whether the file to be detected is in the white list or not according to the MD5 value of the file to be detected; and if so, judging the file to be detected as a safe file.
In the implementation process, whether the file to be detected is a safe file can be quickly judged by the MD5 value and the white list of the file to be detected, and the detection efficiency of the file to be detected can be improved.
In a possible implementation manner, the detection module 3 is further configured to obtain a first local check and kill record of the file to be detected; judging whether the first searching and killing record is a malicious result; if yes, sending out alarm information; if not, scanning the file to be detected by using a local antivirus engine to obtain a first searching and killing result; judging whether the first searching and killing result is a malicious result or not; if yes, sending out alarm information; and if not, acquiring a second searching and killing result and a third searching and killing result, and acquiring the safety of the file to be detected according to the second searching and killing result and the third searching and killing result.
In a possible implementation manner, the detection module 3 is further configured to obtain a second searching and killing record of the file to be detected in the cloud antivirus engine; judging whether the second searching and killing record is a malicious result; if yes, sending out alarm information; if not, compressing the file to be detected, transmitting the file to the cloud antivirus engine for detection, and acquiring a second searching and killing result; judging whether the second searching and killing result is a malicious result or not; if yes, sending out alarm information; if not, a third searching and killing result is obtained, and the safety of the file to be detected is obtained according to the third searching and killing result.
In a possible implementation manner, the detection module 3 is further configured to transmit the file to be detected to the cloud sandbox for operation, obtain a third searching and killing result, and obtain the security of the file to be detected according to the third searching and killing result.
In a possible implementation manner, the device further comprises a saving module, which is used for saving the security of the file to be detected.
Example 3
Fig. 5 shows a structural block diagram of a robot for turning off an electrical appliance according to an embodiment of the present application. The electronic device may comprise a processor 51, a communication interface 52, a memory 53 and at least one communication bus 54. Wherein the communication bus 54 is used for realizing direct connection communication of these components. In this embodiment, the communication interface 52 of the electronic device is used for performing signaling or data communication with other node devices. The processor 51 may be an integrated circuit chip having signal processing capabilities.
The Processor 51 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 51 may be any conventional processor or the like.
The Memory 53 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 53 stores computer readable instructions, which when executed by the processor 51, enable the electronic device to perform the steps involved in the above-described method embodiments.
Optionally, the electronic device may further include a memory controller, an input output unit.
The memory 53, the memory controller, the processor 51, the peripheral interface, and the input/output unit are electrically connected to each other directly or indirectly to implement data transmission or interaction. For example, these components may be electrically connected to each other via one or more communication buses 54. The processor 51 is adapted to execute executable modules stored in the memory 53, such as software functional modules or computer programs comprised by the electronic device.
The input and output unit is used for providing a task for a user to create and start an optional time period or preset execution time for the task creation so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 5 is merely illustrative and that the electronic device may include more or fewer components than shown in fig. 5 or may have a different configuration than shown in fig. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The embodiment of the present application further provides a storage medium, where the storage medium stores instructions, and when the instructions are run on a computer, when the computer program is executed by a processor, the method in the method embodiment is implemented, and in order to avoid repetition, details are not repeated here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for detecting the security of a file is characterized by comprising the following steps:
receiving mirror image flow of a server deployed at an enterprise communication gateway;
generating a file to be detected according to the mirror image flow;
the method comprises the steps of obtaining a first local searching and killing result of a file to be detected, a second searching and killing result of a cloud antivirus engine and a third searching and killing result of a cloud sandbox, and obtaining the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
2. The method for detecting the security of the file according to claim 1, wherein after the step of generating the file to be detected according to the mirror flow, the method further comprises:
acquiring an MD5 value of the file to be detected;
judging whether the file to be detected is in a white list or not according to the MD5 value of the file to be detected;
and if so, judging the file to be detected as a safe file.
3. The method for detecting the security of the file according to claim 2, wherein the step of obtaining a first local searching and killing result, a second searching and killing result and a third searching and killing result of the file to be detected, the second searching and killing result and the third searching and killing result of the file to be detected, the third searching and killing result being scanned by multiple cloud engines, and the step of obtaining the security of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result comprises:
acquiring a first searching and killing record of the file to be detected in the local area;
judging whether the first searching and killing record is a malicious result;
if yes, sending out alarm information;
if not, scanning the file to be detected by using a local antivirus engine to obtain the first searching and killing result;
judging whether the first searching and killing result is a malicious result or not;
if yes, sending out alarm information;
and if not, acquiring the second searching and killing result and the third searching and killing result, and acquiring the safety of the file to be detected according to the second searching and killing result and the third searching and killing result.
4. The method for detecting the security of the file according to claim 3, wherein the step of obtaining the second and third checking and killing results and obtaining the security of the file to be detected according to the second and third checking and killing results comprises:
acquiring a second searching and killing record of the file to be detected in a cloud antivirus engine;
judging whether the second searching and killing record is a malicious result;
if yes, sending out alarm information;
if not, compressing the file to be detected, transmitting the file to be detected to the cloud antivirus engine for detection, and acquiring the second searching and killing result;
judging whether the second searching and killing result is a malicious result or not;
if yes, sending out alarm information;
and if not, acquiring the third searching and killing result, and acquiring the safety of the file to be detected according to the third searching and killing result.
5. The method for detecting the security of the file according to claim 4, wherein the step of obtaining the third checking and killing result and obtaining the security of the file to be detected according to the third checking and killing result comprises:
and transmitting the file to be detected to a cloud sandbox for operation, acquiring the third searching and killing result, and acquiring the security of the file to be detected according to the third searching and killing result.
6. The method for detecting the security of the file according to claim 1, wherein after the steps of obtaining a first local searching and killing result of the file to be detected, a second local searching and killing result of the file to be detected, and a third searching and killing result of the file to be detected in a cloud sandbox, and obtaining the security of the file to be detected according to the first searching and killing result, the second searching and killing result, and the third searching and killing result, the method further comprises:
and storing the security of the file to be detected locally.
7. A device for detecting the security of a document, comprising:
the receiving module is used for receiving the mirror image flow of the server deployed at the enterprise communication gateway;
the generating module is used for generating the file to be detected according to the mirror image flow;
the detection module is used for acquiring a first local searching and killing result, a second searching and killing result and a third searching and killing result of the file to be detected in the cloud poisoning engine, and acquiring the safety of the file to be detected according to the first searching and killing result, the second searching and killing result and the third searching and killing result.
8. The apparatus for detecting the security of a document according to claim 7, wherein the apparatus further comprises:
the acquisition module is used for acquiring the MD5 value of the file to be detected;
the judging module is used for judging whether the file to be detected is in a white list or not according to the MD5 value of the file to be detected; and if so, judging the file to be detected as a safe file.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a method of security detection of a document according to any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium having stored thereon instructions which, when run on a computer, cause the computer to perform a method of security detection of a document according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111644983.9A CN114003914A (en) | 2021-12-30 | 2021-12-30 | File security detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111644983.9A CN114003914A (en) | 2021-12-30 | 2021-12-30 | File security detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114003914A true CN114003914A (en) | 2022-02-01 |
Family
ID=79932353
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111644983.9A Pending CN114003914A (en) | 2021-12-30 | 2021-12-30 | File security detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114003914A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| CN111859381A (en) * | 2019-04-29 | 2020-10-30 | 深信服科技股份有限公司 | File detection method, device, equipment and medium |
| CN112052454A (en) * | 2020-10-12 | 2020-12-08 | 腾讯科技(深圳)有限公司 | Method, device and equipment for searching and killing applied viruses and computer storage medium |
| CN113810342A (en) * | 2020-06-15 | 2021-12-17 | 深信服科技股份有限公司 | Intrusion detection method, device, equipment and medium |
-
2021
- 2021-12-30 CN CN202111644983.9A patent/CN114003914A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
| CN111859381A (en) * | 2019-04-29 | 2020-10-30 | 深信服科技股份有限公司 | File detection method, device, equipment and medium |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| CN113810342A (en) * | 2020-06-15 | 2021-12-17 | 深信服科技股份有限公司 | Intrusion detection method, device, equipment and medium |
| CN112052454A (en) * | 2020-10-12 | 2020-12-08 | 腾讯科技(深圳)有限公司 | Method, device and equipment for searching and killing applied viruses and computer storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| CN108471429B (en) | Network attack warning method and system | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| CN103679031B (en) | A kind of immune method and apparatus of file virus | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| US9830452B2 (en) | Scanning device, cloud management device, method and system for checking and killing malicious programs | |
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN113992431B (en) | Linkage blocking method and device, electronic equipment and storage medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| EP4172823A1 (en) | Deep learning-based analysis of signals for threat detection | |
| CN116366377B (en) | Malicious file detection method, device, equipment and storage medium | |
| CN105791250B (en) | Application program detection method and device | |
| CN113886829A (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
| CN115146263B (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| CN109711166B (en) | Vulnerability detection method and device | |
| CN108268775B (en) | Web vulnerability detection method and device, electronic equipment and storage medium | |
| CN114003914A (en) | File security detection method and device, electronic equipment and storage medium | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| CN113656809A (en) | Mirror image security detection method, device, equipment and medium | |
| CN114004604B (en) | Method and device for detecting URL data in mail and electronic equipment | |
| CN104618427A (en) | Method and device for monitoring file via network | |
| CN115664863B (en) | Network attack event processing method, device, storage medium and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220201 |