CN114662090A - File processing method, device, storage medium and system - Google Patents
File processing method, device, storage medium and system Download PDFInfo
- Publication number
- CN114662090A CN114662090A CN202210177652.7A CN202210177652A CN114662090A CN 114662090 A CN114662090 A CN 114662090A CN 202210177652 A CN202210177652 A CN 202210177652A CN 114662090 A CN114662090 A CN 114662090A
- Authority
- CN
- China
- Prior art keywords
- target
- file
- management
- target file
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 40
- 244000035744 Hura crepitans Species 0.000 claims abstract description 123
- 238000000034 method Methods 0.000 claims abstract description 68
- 238000012545 processing Methods 0.000 claims abstract description 52
- 238000011217 control strategy Methods 0.000 claims abstract description 43
- 230000008569 process Effects 0.000 claims abstract description 37
- 238000004458 analytical method Methods 0.000 claims description 15
- 238000002955 isolation Methods 0.000 claims description 10
- 238000002347 injection Methods 0.000 abstract description 10
- 239000007924 injection Substances 0.000 abstract description 10
- 230000000694 effects Effects 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 abstract description 8
- 238000007726 management method Methods 0.000 description 116
- 230000000875 corresponding effect Effects 0.000 description 19
- 239000000243 solution Substances 0.000 description 16
- 238000010586 diagram Methods 0.000 description 15
- 230000005540 biological transmission Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 230000010354 integration Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
Description
技术领域technical field
本发明涉及计算机技术领域,具体而言,涉及一种文件处理方法、装置、存储介质及系统。The present invention relates to the field of computer technology, and in particular, to a file processing method, device, storage medium and system.
背景技术Background technique
用户在计算机操作系统内使用的软件中,可能会存在未知的软件,例如:流氓软件,勒索病毒,后门网络病毒,木马程序等。这些未知的软件一旦在计算机运行,将可能出现不可控的情况甚至导致严重的不良后果。对此,在运行未知的软件前必须对该软件进行安全性判定。对于无法判定安全性的未知软件,通常使用沙盒容器隔离运行方法进行处理。In the software used by the user in the computer operating system, there may be unknown software, such as: rogue software, ransomware, backdoor network virus, Trojan horse program, etc. Once these unknown software runs on the computer, uncontrollable situations may occur or even lead to serious adverse consequences. In this regard, before running the unknown software, the security must be judged on the software. For unknown software whose security cannot be judged, the sandbox container isolation operation method is usually used for processing.
相关技术中,用于处理未知软件的沙盒方案主要有如下两种。In the related art, there are mainly the following two sandbox solutions for processing unknown software.
第一种:基于进程注入的沙盒方案。在沙盒中对目标进程进行注入,并在该目标进程中使用钩子函数(HOOK)对特定的系统应用程序编程接口进行处理,进而实现对该目标进程的权限管控和访问重定向。这种方案对环境依赖轻量级、重定向操作简单,然而,其缺陷在于:注入操作降低了系统稳定性;存在风险且处理效果较差(目标进程可能通过HOOK检测发现并绕过沙盒环境)。The first: a sandbox solution based on process injection. The target process is injected into the sandbox, and a hook function (HOOK) is used in the target process to process a specific system application programming interface, thereby realizing the permission control and access redirection of the target process. This scheme is lightweight and easy to redirect to the environment. However, its drawbacks are: the injection operation reduces the system stability; there are risks and the processing effect is poor (the target process may be found through HOOK detection and bypass the sandbox environment) ).
第二种:基于Windows Hyper-V的沙盒方案。随着Windows10 Build 18305版本及以后的专业版操作系统增加了对沙盒的支持,用户可以在系统沙盒中运行未知程序。这种方案稳定性强,然而,其缺陷在于:无法满足所有系统版本,支持不足;无法实现沙盒策略定制化,灵活度低。The second: a sandbox solution based on Windows Hyper-V. With Windows 10 Build 18305 and later professional operating systems adding support for sandboxes, users can run unknown programs in the system sandbox. This solution has strong stability, however, its shortcomings are: it cannot meet all system versions, lack of support; cannot realize sandbox strategy customization, and has low flexibility.
针对上述的问题,目前尚未提出有效的解决方案。For the above problems, no effective solution has been proposed yet.
发明内容SUMMARY OF THE INVENTION
本发明实施例提供了一种文件处理方法、装置、存储介质及系统,以至少解决相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。Embodiments of the present invention provide a file processing method, device, storage medium, and system, so as to at least solve the method for processing risk files using process injection sandbox or system sandbox in the related art, which has insufficient system support, poor processing effect, and flexibility. low-quality technical issues.
根据本发明实施例的一个方面,提供了一种文件处理方法,包括:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。According to an aspect of the embodiments of the present invention, a file processing method is provided, which includes: judging the security attribute of a target file, and obtaining a judgment result; when it is determined by the judgment result that the security attribute does not meet a preset condition, isolating the target file Go to the sandbox environment; in the sandbox environment, obtain the target control policy matching the target file, and control the permissions of the target file based on the target control policy.
根据本发明实施例的另一方面,还提供了一种文件处理方法,包括:接收来自于客户端的目标文件;对目标文件的安全属性进行判定以得到判定结果,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,在沙盒环境中,获取目标文件匹配的目标管控策略,以及基于目标管控策略对目标文件进行权限管控;向客户端返回通知消息,其中,通知消息用于通知目标文件被隔离至沙盒环境并按照目标管控策略进行权限管控。According to another aspect of the embodiments of the present invention, there is also provided a file processing method, comprising: receiving a target file from a client; judging the security attribute of the target file to obtain a judgment result, when it is determined by the judgment result that the security attribute is not When the preset conditions are met, the target file is isolated to the sandbox environment. In the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. A notification message is returned to the client, Among them, the notification message is used to notify that the target file is isolated to the sandbox environment and the rights are controlled according to the target management and control policy.
根据本发明实施例的另一方面,还提供了一种文件处理装置,包括:判定模块,用于对目标文件的安全属性进行判定,得到判定结果;隔离模块,用于当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;处理模块,用于在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。According to another aspect of the embodiments of the present invention, a file processing apparatus is also provided, including: a determination module, configured to determine the security attribute of a target file to obtain a determination result; an isolation module, configured to determine the security according to the determination result When the attribute does not meet the preset conditions, the target file is isolated to the sandbox environment; the processing module is used to obtain the target control policy matching the target file in the sandbox environment, and control the permissions of the target file based on the target control policy.
根据本发明实施例的另一方面,还提供了一种存储介质,上述存储介质包括存储的程序,其中,在上述程序运行时控制上述存储介质所在设备执行任意一项上述的文件处理方法。According to another aspect of the embodiments of the present invention, a storage medium is further provided, where the storage medium includes a stored program, wherein when the program runs, the device where the storage medium is located is controlled to execute any one of the above-mentioned file processing methods.
根据本发明实施例的另一方面,还提供了一种文件处理系统,包括:处理器;以及存储器,与上述处理器连接,用于为上述处理器提供处理以下处理步骤的指令:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。According to another aspect of the embodiments of the present invention, a file processing system is also provided, including: a processor; and a memory, connected to the above-mentioned processor, for providing the above-mentioned processor with instructions for processing the following processing steps: Determine the security attributes of the target file, and obtain the judgment result; when it is determined that the security attribute does not meet the preset conditions through the judgment result, isolate the target file to the sandbox environment; in the sandbox environment, obtain the target control policy matching the target file, and Permissions are controlled for target files based on target management and control policies.
在本发明实施例中,首先对目标文件的安全属性进行判定,得到判定结果,然后根据判定结果确定安全属性是否满足预设条件,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,进而在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控,达到了通过沙盒方案对文件进行隔离和权限管控的目的,从而实现了以灵活、稳定的方案降低目标文件的使用风险、提高系统安全性的技术效果,进而解决了相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。In the embodiment of the present invention, firstly, the security attribute of the target file is judged to obtain the judgment result, and then it is determined whether the security attribute meets the preset condition according to the judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target The file is isolated to the sandbox environment, and then in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. The purpose is to achieve the technical effect of reducing the use risk of target files and improving system security with a flexible and stable solution, and then solve the method of processing risk files using process injection sandbox or system sandbox in related technologies. Its system support Inadequate, poor handling, and low flexibility of technical issues.
附图说明Description of drawings
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described herein are used to provide a further understanding of the present invention and constitute a part of the present application. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the attached image:
图1示出了一种用于实现文件处理方法的计算机终端(或移动设备)的硬件结构框图;1 shows a block diagram of the hardware structure of a computer terminal (or mobile device) for implementing a file processing method;
图2是根据本发明实施例的一种文件处理方法的流程图;2 is a flowchart of a file processing method according to an embodiment of the present invention;
图3是根据本发明实施例的一种可选的处理未知文件的过程的示意图;3 is a schematic diagram of an optional process for processing unknown files according to an embodiment of the present invention;
图4是根据本发明实施例的另一种文件处理方法的流程图;4 is a flowchart of another file processing method according to an embodiment of the present invention;
图5是根据本发明实施例的一种在云端服务器进行文件处理的示意图;5 is a schematic diagram of file processing performed on a cloud server according to an embodiment of the present invention;
图6是根据本发明实施例的一种文件处理装置的结构示意图;6 is a schematic structural diagram of a file processing apparatus according to an embodiment of the present invention;
图7是根据本发明实施例的另一种文件处理装置的结构示意图;7 is a schematic structural diagram of another file processing apparatus according to an embodiment of the present invention;
图8是根据本发明实施例的另一种文件处理装置的结构示意图;8 is a schematic structural diagram of another file processing apparatus according to an embodiment of the present invention;
图9是根据本发明实施例的另一种计算机终端的结构框图。FIG. 9 is a structural block diagram of another computer terminal according to an embodiment of the present invention.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to make those skilled in the art better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only Embodiments are part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second" and the like in the description and claims of the present invention and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used may be interchanged under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having" and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed Rather, those steps or units may include other steps or units not expressly listed or inherent to these processes, methods, products or devices.
首先,在对本发明实施例进行描述的过程中出现的部分名词或术语适用于如下解释:First of all, some nouns or terms appearing in the process of describing the embodiments of the present invention are suitable for the following explanations:
恶意程序:是指未知的程序,该程序没有合法签名,或者存在未知的行为,或者存在已知的恶意行为(例如:文件窃取、截屏、用户信息窃取等)。Malicious program: refers to an unknown program that has no legal signature, or has unknown behaviors, or has known malicious behaviors (for example, file theft, screen capture, user information theft, etc.).
沙盒:是指计算机中为运行中的程序提供隔离环境的虚拟容器。沙盒技术是计算机安全领域中的安全机制。Sandbox: A virtual container on a computer that provides an isolated environment for running programs. Sandbox technology is a security mechanism in the field of computer security.
实施例1Example 1
根据本发明实施例,还提供了一种文件处理方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, an embodiment of a file processing method is also provided. It should be noted that the steps shown in the flowchart of the accompanying drawings may be executed in a computer system such as a set of computer-executable instructions, and although A logical order is shown in the flowcharts, but in some cases steps shown or described may be performed in an order different from that herein.
本发明实施例一所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。图1示出了一种用于实现文件处理方法的计算机终端(或移动设备)的硬件结构框图。如图1所示,计算机终端10(或移动设备10)可以包括一个或多个(图中采用102a,102b,……,102n来示出)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器104、以及用于通信功能的传输装置106。除此以外,还可以包括:显示器、键盘、光标控制设备(如鼠标)、输入/输出接口(I/O接口)、通用串行总线(USB)端口(可以作为BUS总线的端口中的一个端口被包括)、网络接口、电源和/或相机。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,计算机终端10还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiment provided in Embodiment 1 of the present invention may be executed in a mobile terminal, a computer terminal, or a similar computing device. FIG. 1 shows a block diagram of the hardware structure of a computer terminal (or mobile device) for implementing a file processing method. As shown in FIG. 1, the computer terminal 10 (or the mobile device 10) may include one or more processors 102 (represented by 102a, 102b, . processing means such as a processor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission means 106 for communication functions. In addition, it can also include: a monitor, a keyboard, a cursor control device (such as a mouse), an input/output interface (I/O interface), a universal serial bus (USB) port (which can be used as one of the ports of the BUS bus) included), network interface, power supply and/or camera. Those of ordinary skill in the art can understand that the structure shown in FIG. 1 is only a schematic diagram, which does not limit the structure of the above electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .
应当注意到的是上述一个或多个处理器102和/或其他数据处理电路在本文中通常可以被称为“数据处理电路”。该数据处理电路可以全部或部分的体现为软件、硬件、固件或其他任意组合。此外,数据处理电路可为单个独立的处理模块,或全部或部分的结合到计算机终端10(或移动设备)中的其他元件中的任意一个内。如本发明实施例中所涉及到的,该数据处理电路作为一种处理器控制(例如与接口连接的可变电阻终端路径的选择)。It should be noted that the one or more processors 102 and/or other data processing circuits described above may generally be referred to herein as "data processing circuits." The data processing circuit may be embodied in whole or in part as software, hardware, firmware or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present invention, the data processing circuit acts as a kind of processor control (eg, selection of a variable resistance termination path connected to an interface).
存储器104可用于存储应用软件的软件程序以及模块,如本发明实施例中的文件处理方法对应的程序指令/数据存储装置,处理器102通过运行存储在存储器104内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的文件处理方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store software programs and modules of application software, such as a program instruction/data storage device corresponding to the file processing method in the embodiment of the present invention, the processor 102 executes the software programs and modules stored in the memory 104 by running Various functional applications and data processing implement the above-mentioned file processing method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, memory 104 may further include memory located remotely from processor 102, which may be connected to computer terminal 10 through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括计算机终端10的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,RF)模块,其用于通过无线方式与互联网进行通讯。Transmission means 106 are used to receive or transmit data via a network. A specific example of the above-mentioned network may include a wireless network provided by a communication provider of the computer terminal 10 . In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF) module, which is used for wirelessly communicating with the Internet.
显示器可以例如触摸屏式的液晶显示器(LCD),该液晶显示器可使得用户能够与计算机终端10(或移动设备)的用户界面进行交互。The display may be, for example, a touch screen type liquid crystal display (LCD) that enables a user to interact with the user interface of the computer terminal 10 (or mobile device).
此处需要说明的是,在一些可选实施例中,上述图1所示的计算机设备(或移动设备)可以包括硬件元件(包括电路)、软件元件(包括存储在计算机可读介质上的计算机代码)、或硬件元件和软件元件两者的结合。应当指出的是,图1仅为特定具体实例的一个实例,并且旨在示出可存在于上述计算机设备(或移动设备)中的部件的类型。It should be noted here that, in some optional embodiments, the computer device (or mobile device) shown in FIG. 1 may include hardware elements (including circuits), software elements (including a computer stored on a computer-readable medium) code), or a combination of both hardware and software elements. It should be noted that FIG. 1 is only one example of a specific embodiment, and is intended to illustrate the types of components that may be present in a computer device (or mobile device) as described above.
在上述运行环境下,本发明提供了如图2所示的一种文件处理方法。图2是根据本发明实施例的一种文件处理方法的流程图,如图2所示,该文件处理方法包括:Under the above operating environment, the present invention provides a file processing method as shown in FIG. 2 . FIG. 2 is a flowchart of a file processing method according to an embodiment of the present invention. As shown in FIG. 2 , the file processing method includes:
步骤S202,对目标文件的安全属性进行判定,得到判定结果;Step S202, judging the security attribute of the target file to obtain a judgment result;
步骤S204,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;Step S204, when it is determined by the judgment result that the security attribute does not meet the preset condition, isolate the target file into a sandbox environment;
步骤S206,在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。Step S206 , in the sandbox environment, obtain a target management and control policy matching the target file, and perform authority management and control on the target file based on the target management and control policy.
可选地,在上述实施例中,目标文件可以是用户从网络上下载的未知的文件、程序、工具等,也可以是用户在被“钓鱼邮件”、“水坑攻击”等攻击手法攻击时获得的攻击工具。Optionally, in the above-mentioned embodiment, the target file may be an unknown file, program, tool, etc. downloaded by the user from the network, or it may be when the user is attacked by attack methods such as "phishing email" and "water hole attack". Acquired attack tool.
可选地,在上述实施例中,目标文件可能是安全的、恶意的或者有风险的。目标文件的安全属性可以用于表征该目标文件是否安全。该安全属性可以由目标文件的名称、类型、大小、内容等确定。Optionally, in the above embodiment, the target file may be safe, malicious or risky. The security attribute of the target file can be used to characterize whether the target file is secure. The security attribute may be determined by the name, type, size, content, etc. of the target file.
可选地,在上述实施例中,安全属性的判定结果可以是按照预设安全判定规则,对上述目标文件的安全属性进行判定的结果。例如:在某实际应用场景中该结果可以包括:安全、低风险、中风险、高风险、无法判定等。Optionally, in the above embodiment, the determination result of the security attribute may be a result of determining the security attribute of the target file according to a preset security determination rule. For example, in a practical application scenario, the result may include: safe, low risk, medium risk, high risk, undecidable, etc.
可选地,在上述实施例中,预设条件可以用于判断是否将目标文件隔离至沙盒环境中。例如:在某实际应用场景中该预设条件可以是“被判定为安全的文件无需隔离”,也可以是“被判定为安全和低风险的文件无需隔离”,还可以是“被判定为安全的文件无需隔离,且被判定为有风险(包括低风险、中风险、高风险)的文件直接删除”等。Optionally, in the above embodiment, the preset condition may be used to determine whether to isolate the target file into the sandbox environment. For example: in a practical application scenario, the preset condition may be "files judged to be safe do not need to be quarantined", or "files judged to be safe and low-risk do not need to be quarantined", or "files judged to be safe do not need to be quarantined" The files do not need to be quarantined, and the files that are judged to be at risk (including low risk, medium risk, and high risk) are directly deleted” and so on.
可选地,在上述实施例中,目标管控策略可以用于对目标文件在沙盒环境中的权限进行管控。该目标管控策略与目标文件匹配,可以是用户为该目标文件预设的管控策略,也可以是系统根据预设的管控策略规则为该目标文件自动生成的管控策略。在沙盒环境中,可以获取该目标文件匹配的目标管控策略,并可以基于该目标管控策略管控该目标文件的权限。Optionally, in the above embodiment, the target management and control policy may be used to manage and control the authority of the target file in the sandbox environment. The target management and control policy matches the target file, and may be a management and control policy preset by the user for the target file, or may be a management and control policy automatically generated by the system for the target file according to the preset management and control policy rules. In the sandbox environment, the target control policy matching the target file can be obtained, and the permissions of the target file can be controlled based on the target control policy.
需要说明的是,沙盒环境可以是沙盒在计算机中为程序运行提供受限的安全环境。例如:沙盒可以提供用后即回收的磁盘及内存空间供程序运行使用,且在沙盒环境中限制授予该程序的代码访问、网络访问等权限。沙盒中运行程序所做的所有改动对操作系统不会造成任何损失。It should be noted that the sandbox environment may be a sandbox in a computer that provides a restricted security environment for program execution. For example, the sandbox can provide disk and memory space that is reclaimed after use for the program to run, and restrict the code access, network access and other permissions granted to the program in the sandbox environment. All changes made by programs running in the sandbox do no harm to the operating system.
在本发明实施例中,首先对目标文件的安全属性进行判定,得到判定结果,然后根据判定结果确定安全属性是否满足预设条件,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,进而在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控,达到了通过沙盒方案对文件进行隔离和权限管控的目的,从而实现了以灵活、稳定的方案降低目标文件的使用风险、提高系统安全性的技术效果,进而解决了相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。In the embodiment of the present invention, firstly, the security attribute of the target file is judged to obtain the judgment result, and then it is determined whether the security attribute meets the preset condition according to the judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target The file is isolated to the sandbox environment, and then in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. The purpose is to achieve the technical effect of reducing the use risk of target files and improving system security with a flexible and stable solution, and then solve the method of processing risk files using process injection sandbox or system sandbox in related technologies. Its system support Inadequate, poor handling, and low flexibility of technical issues.
可选地,本发明所提供的上述文件处理方法可以但不限于应用于卫生、语言、社会、科学、艺术等领域中使用办公网络、内部网络、生产网络的任何涉及计算机安全的应用场景中。Optionally, the above-mentioned file processing method provided by the present invention can be applied, but not limited to, any application scenario involving computer security in the fields of health, language, society, science, art, etc. using office networks, internal networks, and production networks.
特别地,通常在涉及计算机安全的应用场景中,会设置安全环境,例如:内部网络、隔离网络、隔离设备等。然而,在安全环境中也可能遇到未知程序或未知文件,对此,现有技术提供的处理方法是滞后的(例如无法及时判定该未知程序或未知文件的安全属性),也就是说,未知程序或未知文件仍然可以在用户设置的安全环境内进行恶意活动。本发明实施例提供的方法的有益效果之一可以是解决上述问题。In particular, usually in application scenarios involving computer security, a security environment, such as an internal network, an isolated network, and an isolated device, will be set up. However, unknown programs or unknown files may also be encountered in the security environment, for which the processing methods provided by the prior art are delayed (for example, the security attributes of the unknown programs or unknown files cannot be determined in time), that is, the unknown Programs or unknown files can still perform malicious activities within the secure environment set by the user. One of the beneficial effects of the methods provided by the embodiments of the present invention may be to solve the above problems.
在一种可选的实施例中,在步骤S202中,对安全属性进行判定,得到判定结果,包括如下方法步骤:In an optional embodiment, in step S202, the security attribute is determined to obtain a determination result, including the following method steps:
步骤S221,基于安全属性判定目标文件是否属于预设白名单或预设黑名单;Step S221, determining whether the target file belongs to a preset whitelist or a preset blacklist based on the security attribute;
步骤S222,当目标文件属于预设白名单或预设黑名单时,确定判定结果为安全属性满足预设条件;Step S222, when the target file belongs to the preset whitelist or the preset blacklist, determine that the result of the determination is that the security attribute satisfies the preset condition;
步骤S223,当目标文件不属于预设白名单和预设黑名单时,确定判定结果为安全属性未满足预设条件。Step S223, when the target file does not belong to the preset whitelist and the preset blacklist, it is determined that the determination result is that the security attribute does not meet the preset condition.
可选地,在上述实施例中,预设白名单可以是预设的视为安全文件的文件列表;预设黑名单可以是预设的视为风险文件的文件列表。该预设白名单和该预设黑名单均可以是基于文件的多种属性指定的文件列表。Optionally, in the above embodiment, the preset whitelist may be a preset list of files considered as safe files; the preset blacklist may be a preset list of files considered as risky files. Both the preset whitelist and the preset blacklist may be file lists specified based on various attributes of the files.
例如:在某实际应用场景中,确定文件属于预设白名单的条件可以包括以下至少之一:文件名为一个或多个指定文件名;文件类型为一个或多个指定文件类型;文件大小属于一个或多个指定阈值;文件内容中不包含多个指定内容中的任意一个。For example: in a practical application scenario, the conditions for determining that a file belongs to the preset whitelist may include at least one of the following: the file name is one or more specified file names; the file type is one or more specified file types; the file size belongs to One or more specified thresholds; the file contents do not contain any of the specified contents.
例如:在某实际应用场景中,确定文件属于预设黑名单的条件可以包括以下至少之一:文件名为一个或多个指定文件名;文件类型为一个或多个指定文件类型;文件大小属于一个或多个指定阈值;文件内容中包含多个指定内容中的任意一个。For example: in a practical application scenario, the conditions for determining that a file belongs to the preset blacklist may include at least one of the following: the file name is one or more specified file names; the file type is one or more specified file types; the file size belongs to One or more specified thresholds; any of several specified contents are included in the file content.
可选地,在上述实施例中,预设条件可以是“基于目标文件的安全属性,能够判定该目标文件属于预设白名单或预设黑名单”。因此,当目标文件被判定为属于预设白名单或预设黑名单时,对应的判定结果为该目标文件的安全属性满足预设条件;当目标文件被判定为既不属于预设白名单也不属于预设黑名单时,对应的判定结果为该目标文件的安全属性未满足预设条件。Optionally, in the above embodiment, the preset condition may be "based on the security attribute of the target file, it can be determined that the target file belongs to the preset whitelist or the preset blacklist". Therefore, when the target file is determined to belong to the preset whitelist or the preset blacklist, the corresponding determination result is that the security attributes of the target file meet the preset conditions; When it does not belong to the preset blacklist, the corresponding determination result is that the security attribute of the target file does not meet the preset condition.
需要说明的是,判定结果为目标文件的安全属性满足预设条件,说明该目标文件的安全性已知(可以包括:安全、有风险)。判定结果为目标文件的安全属性未满足预设条件,说明该目标文件的安全性未知,该安全性未知的目标文件必须被隔离在沙盒环境中运行以避免风险。It should be noted that, if the determination result is that the security attribute of the target file satisfies the preset condition, it means that the security of the target file is known (may include: safe and risky). The determination result is that the security attribute of the target file does not meet the preset conditions, indicating that the security of the target file is unknown, and the target file with unknown security must be isolated and run in a sandbox environment to avoid risks.
图3是根据本发明实施例的一种可选的处理未知文件的过程的示意图,如图3所示,文件判定系统可以包括白名单判定系统和黑名单判定系统。该文件判定系统用于对待执行文件进行黑白判定(判定该待执行文件是否属于白名单或黑名单,该白名单和黑名单可以是用户预设的)。FIG. 3 is a schematic diagram of an optional process for processing unknown files according to an embodiment of the present invention. As shown in FIG. 3 , the file determination system may include a whitelist determination system and a blacklist determination system. The file determination system is used to perform black and white determination on the to-be-executed file (determine whether the to-be-executed file belongs to a whitelist or a blacklist, and the whitelist and blacklist may be preset by the user).
仍然如图3所示,在文件判定系统不能对待执行文件进行黑白判定的情况下(例如:待执行文件不属于白名单和黑名单,或者难以判定待执行文件是否属于白名单和黑名单等情况),文件判定系统会将该待执行文件输入沙盒系统。沙盒系统将在沙盒环境中对该待执行文件进行权限管控。Still as shown in Figure 3, in the case that the file determination system cannot perform black and white determination on the file to be executed (for example: the file to be executed does not belong to the whitelist and blacklist, or it is difficult to determine whether the file to be executed belongs to the whitelist and blacklist, etc. ), the file determination system will input the to-be-executed file into the sandbox system. The sandbox system will control the permissions of the file to be executed in the sandbox environment.
在一种可选的实施例中,文件处理方法还包括如下方法步骤:In an optional embodiment, the file processing method further includes the following method steps:
步骤S208,从云端服务器拉取多个候选管控策略;Step S208, pulling multiple candidate management and control strategies from the cloud server;
步骤S210,对多个候选管控策略进行解析,得到解析结果;Step S210, analysing a plurality of candidate management and control strategies to obtain an analysis result;
步骤S212,将解析结果存储至沙盒环境关联的存储区域。Step S212, the analysis result is stored in a storage area associated with the sandbox environment.
可选地,在上述实施例中,多个候选管控策略可以存储于云端服务器的用于管控文件权限的多个管控策略。该多个候选管控策略可以是系统预先生成并存储至云端服务器的,也可以是技术人员预先指定并上传至云端服务器的。Optionally, in the above-mentioned embodiment, the multiple candidate management and control policies may be stored in multiple management and control policies of the cloud server for managing and controlling file permissions. The multiple candidate management and control strategies may be pre-generated by the system and stored in the cloud server, or may be pre-specified by a technician and uploaded to the cloud server.
可选地,在上述实施例中,从云端服务器拉取上述多个候选管控策略至本地设备。本地设备可以对该多个候选管控策略进行解析,进而得到解析结果。将该解析结果存储至沙盒环境关联的存储区域,以便在沙盒环境中取用该解析结果。Optionally, in the above-mentioned embodiment, the above-mentioned multiple candidate management and control policies are pulled from the cloud server to the local device. The local device can analyze the multiple candidate management and control policies, and then obtain the analysis result. The parsing result is stored in the storage area associated with the sandbox environment, so that the parsing result can be retrieved in the sandbox environment.
仍然如图3所示,在沙盒系统中,可以进行云端策略拉取。该云端策略拉取可以包括策略拉取和策略整合。策略拉取可以是从云端服务器获取多个权限管控策略中每个权限管控策略的最新版本。策略整合可以是按照预设整合规则对从云端服务器拉取的多个权限管控策略进行整合。该预设整合规则可以用于将多个策略整合为指定顺序或指定格式。Still as shown in Figure 3, in the sandbox system, cloud policy pull can be performed. The cloud policy pull may include policy pull and policy integration. The policy pull can be to obtain the latest version of each of the multiple rights management policies from the cloud server. Policy integration may be to integrate multiple rights management and control policies pulled from the cloud server according to preset integration rules. The preset integration rule can be used to integrate multiple policies into a specified order or a specified format.
仍然如图3所示,在沙盒系统中,可以进行策略解析。该策略解析可以包括对多个权限管控策略中每个权限管控策略进行解析。对一个权限管控策略进行解析可以是将该权限管控策略解析成为对应的多个管控命令。Still as shown in Figure 3, in the sandbox system, policy parsing is possible. The policy parsing may include parsing each of the multiple permission management and control policies. The parsing of a permission management and control policy may be to parse the permission management and control policy into a plurality of corresponding management and control commands.
仍然如图3所示,在沙盒系统中,可以进行策略存储。该策略存储可以是将多个权限管控策略中每个权限管控策略对应的多个管控命令(相当于上述解析结果)存储至沙盒系统中的存储区域。该策略存储还可以是将多个权限管控策略及其中每个权限管控策略对应的多个管控命令(相当于上述解析结果)存储至沙盒系统中的存储区域。Still as shown in Figure 3, in a sandboxed system, policy storage is possible. The policy storage may be to store multiple management and control commands (equivalent to the above analysis results) corresponding to each of the multiple rights management and control policies in a storage area in the sandbox system. The policy storage may also be to store multiple rights management and control policies and multiple management and control commands corresponding to each of the rights management and control policies (equivalent to the above analysis results) in a storage area in the sandbox system.
此外,仍然如图3所示,在沙盒系统中,还可以进行策略合法性验证。具体地,在策略存储后,根据预设合法性验证规则,验证沙盒系统中的存储区域内存储的多个权限管控策略的合法性。该预设合法性验证规则可以由技术人员根据实际应用场景预先指定。In addition, still as shown in Figure 3, in the sandbox system, policy validity verification can also be performed. Specifically, after the policy is stored, the legality of multiple rights management and control policies stored in the storage area in the sandbox system is verified according to preset legality verification rules. The preset legality verification rule may be pre-specified by a technician according to an actual application scenario.
特别地,在进行策略合法性验证时,可以保留存储区域内存储的合法的权限管控策略,删除存储区域内存储的不合法的权限管控策略。In particular, when verifying the legality of the policy, the legal authority management and control policies stored in the storage area may be retained, and the illegal authority management and control policies stored in the storage area may be deleted.
在一种可选的实施例中,在步骤S206中,获取目标文件匹配的目标管控策略,包括如下方法步骤:In an optional embodiment, in step S206, acquiring the target management and control policy matched by the target file includes the following method steps:
步骤S261,获取目标文件的索引信息;Step S261, obtaining the index information of the target file;
步骤S262,基于目标文件的索引信息,从存储区域内存储的解析结果中获取与索引信息匹配的目标管控策略。Step S262, based on the index information of the target file, obtain a target management and control policy matching the index information from the analysis result stored in the storage area.
可选地,在上述实施例中,目标文件的索引信息可以是用于为该目标文件匹配管控策略的信息。获取该目标文件的索引信息可以是从该目标文件对应的多个字段中选取至少一个字段。例如,目标文件的索引信息可以是该目标文件的文件名、文件类型等。再例如,当目标文件为未知程序时,索引信息可以是该未知程序对应的进程名。Optionally, in the above embodiment, the index information of the target file may be information used to match a management and control policy for the target file. Obtaining the index information of the target file may be selecting at least one field from a plurality of fields corresponding to the target file. For example, the index information of the target file may be the file name, file type, etc. of the target file. For another example, when the target file is an unknown program, the index information may be a process name corresponding to the unknown program.
可选地,在上述实施例中,基于目标文件的索引信息,可以从存储区域内存储的解析结果中获取与该索引信息匹配的目标管控策略。该存储区域与沙盒环境关联,该解析结果与上述多个候选管控策略对应的解析对应。该目标管控策略可以是在沙盒环境中对该目标文件待执行的管控策略。Optionally, in the above embodiment, based on the index information of the target file, the target management and control policy matching the index information may be obtained from the analysis result stored in the storage area. The storage area is associated with the sandbox environment, and the analysis result corresponds to the analysis corresponding to the above-mentioned multiple candidate management and control policies. The target management and control policy may be a management and control policy to be executed on the target file in the sandbox environment.
仍然如图3所示,在沙盒系统中,可以进行策略匹配。当目标文件为未知程序时,可以获取该未知程序对应的进程名(相当于上述索引信息)作为索引,为该未知程序匹配待使用的权限管控策略(相当于上述目标管控策略)。Still as shown in Figure 3, in a sandboxed system, policy matching is possible. When the target file is an unknown program, the process name (equivalent to the above-mentioned index information) corresponding to the unknown program can be obtained as an index, and the unknown program is matched with the to-be-used authority control policy (equivalent to the above-mentioned target control policy).
具体地,上述匹配过程可以包括:访问沙盒系统中的存储区域,获取该存储区域中存储的多个权限管控策略及其中每个权限管控策略对应的多个管控命令(相当于上述解析结果);根据未知程序对应的进程名,确定该未知程序对应的权限管控策略。Specifically, the above-mentioned matching process may include: accessing a storage area in the sandbox system, obtaining multiple rights management and control policies stored in the storage area and multiple management and control commands corresponding to each of the rights management and control policies (equivalent to the above-mentioned analysis results) ; According to the process name corresponding to the unknown program, determine the authority control policy corresponding to the unknown program.
在一种可选的实施例中,文件处理方法还包括如下方法步骤:In an optional embodiment, the file processing method further includes the following method steps:
步骤S214,当确定解析结果中未查找到与索引信息匹配的目标管控策略时,将默认管控策略确定为目标管控策略。Step S214, when it is determined that no target management and control strategy matching the index information is found in the analysis result, the default management and control strategy is determined as the target management and control strategy.
可选地,在上述实施例中,上述默认管控策略可以是技术人员根据实际应用场景预先指定的管控策略。Optionally, in the foregoing embodiment, the foregoing default management and control strategy may be a management and control strategy pre-specified by a technician according to an actual application scenario.
可选地,在上述实施例中,当无法从上述解析结果中查找到与目标文件的索引信息匹配的目标管控策略时,说明针对该目标文件的策略匹配失败,此时,可以将上述默认管控策略确定为该目标文件的目标管控策略。该目标管控策略可以是在沙盒环境中对该目标文件待执行的管控策略。Optionally, in the above-mentioned embodiment, when the target management and control strategy that matches the index information of the target file cannot be found from the above analysis result, it indicates that the strategy matching for the target file fails, and at this time, the above-mentioned default management and control can be The policy is determined as the target control policy for the target file. The target management and control policy may be a management and control policy to be executed on the target file in the sandbox environment.
可选地,当目标文件的索引信息为空时,无法为该目标文件进行策略匹配,此时,也可以将默认管控策略确定为该目标文件的目标管控策略。Optionally, when the index information of the target file is empty, the policy matching cannot be performed for the target file. In this case, the default management and control policy may also be determined as the target management and control policy of the target file.
此外,云端服务器还可以针对沙盒环境中特定的文件或程序下发特定的管控策略。例如:针对沙盒环境中的未知程序a.exe,云端服务器下发的管控策略为“不能读取桌面文件,且不能向桌面写入文件”。策略系统将会在本地设备上解析并存储该管控策略。In addition, the cloud server can also issue specific control policies for specific files or programs in the sandbox environment. For example, for the unknown program a.exe in the sandbox environment, the control policy issued by the cloud server is "can't read desktop files, and can't write files to the desktop". The policy system will parse and store the control policy on the local device.
在一种可选的实施例中,在步骤S206中,基于目标管控策略对目标文件进行权限管控,包括如下方法步骤中的至少之一:In an optional embodiment, in step S206, performing authority control on the target file based on the target management and control policy includes at least one of the following method steps:
步骤S263,基于目标管控策略对目标文件进行文件权限管控;Step S263, performing file authority control on the target file based on the target management and control policy;
步骤S264,基于目标管控策略对目标文件进行进程权限管控;Step S264, performing process authority control on the target file based on the target management and control policy;
步骤S265,基于目标管控策略对目标文件进行注册表权限管控;Step S265, performing registry authority control on the target file based on the target management and control policy;
步骤S266,基于目标管控策略对目标文件进行网络访问权限管控。Step S266, performing network access authority control on the target file based on the target management and control policy.
可选地,在上述实施例中,目标管控策略可以是在沙盒环境中对该目标文件待执行的管控策略。在沙盒环境中,基于该目标管控策略对上述目标文件进行的权项管控可以包括以下至少一个:文件权限管控,进程权限管控,注册表权限管控,网络访问权限管控。Optionally, in the above embodiment, the target management and control policy may be a management and control policy to be executed on the target file in the sandbox environment. In the sandbox environment, the right item management and control on the above target file based on the target management and control policy may include at least one of the following: file permission management and control, process permission management and control, registry permission management and control, and network access permission management and control.
具体地,文件权限管控可以是管控目标文件对本地文件系统中的部分或全部文件的可操作权限(包括读取或者改变文件内容)。进程权限管控可以是管控目标文件对应的进程及其占据系统资源的权限。注册表权限管控可以是管控目标文件访问和修改注册表的权限。网络访问权限管控可以是管控目标文件访问网络(可以包括办公网络、内部网络、生产网络等)的权限(可以包括允许访问、部分限制访问、全部限制访问等)。Specifically, the file permission control may be to manage and control the operable permissions of the target file to some or all of the files in the local file system (including reading or changing file content). Process authority control may be to control the process corresponding to the target file and the authority that it occupies system resources. Registry permission control can be to control the permission of the target file to access and modify the registry. The network access authority control may be to control the authority of the target file to access the network (which may include office network, internal network, production network, etc.) (which may include permitted access, partially restricted access, all restricted access, etc.).
仍然如图3所示,沙盒系统还可以包括进程创建代理模块。当策略系统为目标文件确定了待使用的权限管控策略后,可以由该进程创建代理模块为该目标文件创建进程,运行该目标文件。Still as shown in Figure 3, the sandbox system may also include a process creation agent module. After the policy system determines the to-be-used authority control policy for the target file, the process creation agent module can create a process for the target file and run the target file.
仍然如图3所示,在沙盒系统中,还可以进行权限管控。该权限管控可以包括文件权限管控、进程权限管控、注册表权限管控、网络权限管控。Still as shown in Figure 3, in the sandbox system, permissions can also be controlled. The permission management and control may include file permission management and control, process permission management and control, registry permission management and control, and network permission management and control.
仍然以未知程序a.exe为例,沙盒系统为该未知程序a.exe创建对应的进程,然后由权限管控模块按照该未知程序a.exe的管控策略管控该未知程序a.exe的权限。该管控策略为“不能读取桌面文件,且不能向桌面写入文件”,则当沙盒系统发现未知程序a.exe对应的进程存在对桌面文件的读写行为时,权限管控模块将进行相应的权限管控限制该行为。Still taking the unknown program a.exe as an example, the sandbox system creates a corresponding process for the unknown program a.exe, and then the authority control module controls the authority of the unknown program a.exe according to the control policy of the unknown program a.exe. The control policy is "can't read desktop files, and can't write files to the desktop", then when the sandbox system finds that the process corresponding to the unknown program a.exe has read and write behaviors to the desktop files, the permission control module will perform corresponding actions. Permission controls restrict this behavior.
容易注意到的是,根据本发明实施例提供的方法,可以在未知文件或未知程序的安全性判定结果未知的情况下,采用沙盒系统使该未知文件或未知程序处于隔离状态,以保护系统的安全。该隔离状态包括文件隔离,进程隔离,会话隔离,网络访问受限等。It is easy to notice that, according to the method provided by the embodiment of the present invention, when the security determination result of an unknown file or unknown program is unknown, a sandbox system can be used to isolate the unknown file or unknown program to protect the system. security. The isolation status includes file isolation, process isolation, session isolation, restricted network access, etc.
容易注意到的是,根据本发明实施例提供的方法,沙盒系统使用的管控策略从云端服务器拉取,则可以针对复杂的使用环境定制管控策略并上传至云端服务器供沙盒系统使用,以此实现对特定程序的权限管控,且该权限管控的粒度较细(例如:可以针对文件路径、针对特定IP地址等)。因此,本发明实施例的有益效果之一是:可以实现沙盒管控策略定制化,灵活度高。It is easy to notice that, according to the method provided by the embodiment of the present invention, the management and control policies used by the sandbox system are pulled from the cloud server, and then the management and control policies can be customized for complex usage environments and uploaded to the cloud server for use by the sandbox system. This implements permission control for a specific program, and the granularity of the permission control is relatively fine (for example, it can be for file paths, specific IP addresses, etc.). Therefore, one of the beneficial effects of the embodiments of the present invention is that the sandbox management and control strategy customization can be realized, and the flexibility is high.
容易注意到的是,与相关技术提供的方法相比,本发明实施例提供的方法中不存在注入行为,因此,本发明实施例的有益效果之一是:沙盒内程序运行稳定性较好,且程序难以检测到沙盒环境。It is easy to notice that, compared with the method provided by the related art, there is no injection behavior in the method provided by the embodiment of the present invention. Therefore, one of the beneficial effects of the embodiment of the present invention is that the running stability of the program in the sandbox is better , and it is difficult for the program to detect the sandbox environment.
本发明其中一实施例还提供了一种文件处理方法,该文件处理方法在云端服务器上运行,图4是根据本发明实施例的另一种文件处理方法的流程图,如图4所示,该文件处理方法,包括:An embodiment of the present invention further provides a file processing method, and the file processing method runs on a cloud server. FIG. 4 is a flowchart of another file processing method according to an embodiment of the present invention, as shown in FIG. 4 , The file processing methods include:
步骤S402,接收来自于客户端的目标文件;Step S402, receiving the target file from the client;
步骤S404,对目标文件的安全属性进行判定以得到判定结果,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,在沙盒环境中,获取目标文件匹配的目标管控策略,以及基于目标管控策略对目标文件进行权限管控;In step S404, the security attribute of the target file is judged to obtain a judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target file is isolated in a sandbox environment, and in the sandbox environment, the matching target file is obtained The target management and control strategy, and the permission management of the target file based on the target management and control strategy;
步骤S406,向客户端返回通知消息,其中,通知消息用于通知目标文件被隔离至沙盒环境并按照目标管控策略进行权限管控。Step S406, a notification message is returned to the client, where the notification message is used to notify that the target file is isolated to the sandbox environment and the rights are controlled according to the target management and control policy.
可选地,图5是根据本发明实施例的一种在云端服务器进行文件处理的示意图,如图5所示,客户端将目标文件上传至云端服务器;云端服务器对目标文件的安全属性进行判定以得到判定结果,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,在沙盒环境中,获取目标文件匹配的目标管控策略,以及基于目标管控策略对目标文件进行权限管控。然后,云端服务器会向上述客户端反馈通知消息,其中,通知消息用于通知目标文件被隔离至沙盒环境并按照目标管控策略进行权限管控。最终的通知消息会通过客户端的图形用户界面提供给用户。Optionally, FIG. 5 is a schematic diagram of file processing performed on a cloud server according to an embodiment of the present invention. As shown in FIG. 5 , the client uploads the target file to the cloud server; the cloud server determines the security attribute of the target file. In order to obtain the judgment result, when it is determined that the security attribute does not meet the preset conditions through the judgment result, the target file is isolated into the sandbox environment, and in the sandbox environment, the target control policy matching the target file is obtained, and the target control policy is based on the target control policy. Permission control for target files. Then, the cloud server will feed back a notification message to the above-mentioned client, wherein the notification message is used to notify that the target file is isolated in the sandbox environment and the rights are controlled according to the target management and control policy. The final notification message is provided to the user through the client's GUI.
需要说明的是,本发明实施例所提供的上述文件处理方法,可以但不限于适用于卫生、语言、社会、科学、艺术等领域中使用办公网络、内部网络、生产网络的任何涉及计算机安全的实际应用场景,通过SaaS服务端和客户端进行交互的方式,根据客户端上传的目标文件安全属性判定结果确定是否进行沙盒环境隔离,当进行沙盒环境隔离时使用对应的目标管控策略对目标文件进行权限管控,并生成通知消息返回至客户端提供给用户。It should be noted that the above-mentioned file processing method provided by the embodiment of the present invention can be, but is not limited to, applicable to any computer security related to the use of office networks, internal networks, and production networks in the fields of health, language, society, science, art, etc. In the actual application scenario, through the interaction between the SaaS server and the client, it is determined whether to isolate the sandbox environment according to the security attribute judgment result of the target file uploaded by the client. File permissions are controlled, and a notification message is generated and returned to the client for the user.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本发明并不受所描述的动作顺序的限制,因为依据本发明,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本发明所必须的。It should be noted that, for the sake of simple description, the foregoing method embodiments are all expressed as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action sequence. As in accordance with the present invention, certain steps may be performed in other orders or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on this understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products are stored in a storage medium (such as ROM/RAM, magnetic disk, CD-ROM), including several instructions to make a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods described in the various embodiments of the present invention.
实施例2Example 2
根据本发明实施例,还提供了一种用于实施上述文件处理方法的装置,图6是根据本发明实施例的一种文件处理装置的结构示意图,如图6所示,该装置包括:判定模块601、隔离模块602、处理模块603,其中,According to an embodiment of the present invention, an apparatus for implementing the above-mentioned file processing method is also provided. FIG. 6 is a schematic structural diagram of a file processing apparatus according to an embodiment of the present invention. As shown in FIG. 6 , the apparatus includes: determining module 601, isolation module 602, processing module 603, wherein,
判定模块601,用于对目标文件的安全属性进行判定,得到判定结果;隔离模块602,用于当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;处理模块603,用于在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。The determination module 601 is used to determine the security attribute of the target file and obtain the determination result; the isolation module 602 is used to isolate the target file in the sandbox environment when it is determined by the determination result that the security attribute does not meet the preset condition; processing The module 603 is configured to obtain a target management and control policy matched by the target file in the sandbox environment, and perform authority management and control on the target file based on the target management and control policy.
可选地,上述判定模块601还用于:基于安全属性判定目标文件是否属于预设白名单或预设黑名单;当目标文件属于预设白名单或预设黑名单时,确定判定结果为安全属性满足预设条件;当目标文件不属于预设白名单和预设黑名单时,确定判定结果为安全属性未满足预设条件。Optionally, the above-mentioned determination module 601 is further configured to: determine whether the target file belongs to the preset whitelist or the preset blacklist based on the security attribute; when the target file belongs to the preset whitelist or the preset blacklist, determine that the judgment result is safe. The attribute satisfies the preset condition; when the target file does not belong to the preset whitelist and the preset blacklist, the determination result is that the security attribute does not meet the preset condition.
可选地,图7是根据本发明实施例的另一种文件处理装置的结构示意图,如图7所示,该装置除包括图6所示的所有模块外,还包括:解析模块604,用于从云端服务器拉取多个候选管控策略;对多个候选管控策略进行解析,得到解析结果;将解析结果存储至沙盒环境关联的存储区域。Optionally, FIG. 7 is a schematic structural diagram of another file processing apparatus according to an embodiment of the present invention. As shown in FIG. 7 , in addition to all the modules shown in FIG. 6 , the apparatus further includes: a parsing module 604 for using It pulls multiple candidate management and control strategies from the cloud server; parses multiple candidate management and control strategies to obtain the parsing results; and stores the parsing results in the storage area associated with the sandbox environment.
可选地,上述处理模块603还用于:获取目标文件的索引信息;基于目标文件的索引信息,从存储区域内存储的解析结果中获取与索引信息匹配的目标管控策略。Optionally, the above-mentioned processing module 603 is further configured to: obtain index information of the target file; and obtain, based on the index information of the target file, a target management and control policy matching the index information from the analysis result stored in the storage area.
可选地,图8是根据本发明实施例的另一种文件处理装置的结构示意图,如图8所示,该装置除包括图7所示的所有模块外,还包括:确定模块605,用于当确定解析结果中未查找到与索引信息匹配的目标管控策略时,将默认管控策略确定为目标管控策略。Optionally, FIG. 8 is a schematic structural diagram of another file processing apparatus according to an embodiment of the present invention. As shown in FIG. 8 , in addition to all the modules shown in FIG. 7 , the apparatus further includes: a determination module 605 for using When it is determined that no target management and control strategy matching the index information is found in the parsing result, the default management and control strategy is determined as the target management and control strategy.
可选地,上述处理模块603还用于:基于目标管控策略对目标文件进行文件权限管控;基于目标管控策略对目标文件进行进程权限管控;基于目标管控策略对目标文件进行注册表权限管控;基于目标管控策略对目标文件进行网络访问权限管控。Optionally, the above processing module 603 is further configured to: perform file authority management and control on the target file based on the target management and control strategy; perform process authority management and control on the target file based on the target management and control strategy; perform registry authority management and control on the target file based on the target management and control strategy; The target control policy controls the network access rights of target files.
此处需要说明的是,上述判定模块601、隔离模块602、处理模块603对应于实施例1中的步骤S202至步骤S206,三个模块与对应的步骤所实现的实例和应用场景相同,但不限于上述实施例一所公开的内容。需要说明的是,上述模块作为装置的一部分可以运行在实施例一提供的计算机终端10中。It should be noted here that the above-mentioned determination module 601, isolation module 602, and processing module 603 correspond to steps S202 to S206 in Embodiment 1, and the three modules have the same instances and application scenarios as the corresponding steps, but are not identical. It is limited to the content disclosed in the first embodiment above. It should be noted that, as a part of the apparatus, the above-mentioned modules may run in the computer terminal 10 provided in the first embodiment.
在本发明实施例中,首先对目标文件的安全属性进行判定,得到判定结果,然后根据判定结果确定安全属性是否满足预设条件,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,进而在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控,达到了通过沙盒方案对文件进行隔离和权限管控的目的,从而实现了以灵活、稳定的方案降低目标文件的使用风险、提高系统安全性的技术效果,进而解决了相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。In the embodiment of the present invention, firstly, the security attribute of the target file is judged to obtain the judgment result, and then it is determined whether the security attribute meets the preset condition according to the judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target The file is isolated to the sandbox environment, and then in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. The purpose is to achieve the technical effect of reducing the use risk of target files and improving system security with a flexible and stable solution, and then solve the method of processing risk files using process injection sandbox or system sandbox in related technologies. Its system support Inadequate, poor handling, and low flexibility of technical issues.
需要说明的是,本实施例的优选实施方式可以参见实施例1中的相关描述,此处不再赘述。It should be noted that, for the preferred implementation of this embodiment, reference may be made to the relevant description in Embodiment 1, and details are not repeated here.
实施例3Example 3
根据本发明实施例,还提供了一种电子装置的实施例,该电子装置可以是计算装置群中的任意一个计算装置。该电子装置包括:处理器和存储器,其中:According to an embodiment of the present invention, an embodiment of an electronic device is also provided, and the electronic device may be any computing device in a computing device group. The electronic device includes: a processor and a memory, wherein:
存储器,与上述处理器连接,用于为上述处理器提供处理以下处理步骤的指令:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。The memory is connected to the above-mentioned processor, and is used for providing the above-mentioned processor with instructions for processing the following processing steps: judging the security attribute of the target file, and obtaining a judgment result; when it is determined by the judgment result that the security attribute does not meet the preset condition, The target file is isolated in the sandbox environment; in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy.
在本发明实施例中,首先对目标文件的安全属性进行判定,得到判定结果,然后根据判定结果确定安全属性是否满足预设条件,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,进而在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控,达到了通过沙盒方案对文件进行隔离和权限管控的目的,从而实现了以灵活、稳定的方案降低目标文件的使用风险、提高系统安全性的技术效果,进而解决了相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。In the embodiment of the present invention, firstly, the security attribute of the target file is judged to obtain the judgment result, and then it is determined whether the security attribute meets the preset condition according to the judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target The file is isolated to the sandbox environment, and then in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. The purpose is to achieve the technical effect of reducing the use risk of target files and improving system security with a flexible and stable solution, and then solve the method of processing risk files using process injection sandbox or system sandbox in related technologies. System support Inadequate, poor handling, and low flexibility of technical issues.
需要说明的是,本实施例的优选实施方式可以参见实施例1中的相关描述,此处不再赘述。It should be noted that, for the preferred implementation of this embodiment, reference may be made to the relevant description in Embodiment 1, and details are not repeated here.
实施例4Example 4
本发明的实施例可以提供一种计算机终端,该计算机终端可以是计算机终端群中的任意一个计算机终端设备。可选地,在本实施例中,上述计算机终端也可以替换为移动终端等终端设备。Embodiments of the present invention may provide a computer terminal, and the computer terminal may be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the above-mentioned computer terminal may also be replaced by a terminal device such as a mobile terminal.
可选地,在本实施例中,上述计算机终端可以位于计算机网络的多个网络设备中的至少一个网络设备。Optionally, in this embodiment, the above-mentioned computer terminal may be located in at least one network device among multiple network devices of a computer network.
在本实施例中,上述计算机终端可以执行文件处理方法中以下步骤的程序代码:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。In this embodiment, the above-mentioned computer terminal may execute the program code of the following steps in the file processing method: judging the security attribute of the target file, and obtaining a judgment result; The file is isolated in the sandbox environment; in the sandbox environment, the target control policy matching the target file is obtained, and the permission control of the target file is performed based on the target control policy.
可选地,图9是根据本发明实施例的另一种计算机终端的结构框图,如图9所示,该计算机终端可以包括:一个或多个(图中仅示出一个)处理器122、存储器124、以及外设接口126。Optionally, FIG. 9 is a structural block diagram of another computer terminal according to an embodiment of the present invention. As shown in FIG. 9 , the computer terminal may include: one or more (only one is shown in the figure)
其中,存储器可用于存储软件程序以及模块,如本发明实施例中的文件处理方法和装置对应的程序指令/模块,处理器通过运行存储在存储器内的软件程序以及模块,从而执行各种功能应用以及数据处理,即实现上述的文件处理方法。存储器可包括高速随机存储器,还可以包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器可进一步包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至计算机终端。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory can be used to store software programs and modules, such as program instructions/modules corresponding to the file processing method and device in the embodiments of the present invention, and the processor executes various functional applications by running the software programs and modules stored in the memory. And data processing, that is, to implement the above-mentioned file processing method. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory located remotely from the processor, the remote memory being connectable to the computer terminal through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
处理器可以通过传输装置调用存储器存储的信息及应用程序,以执行下述步骤:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。The processor can call the information and the application program stored in the memory through the transmission device to perform the following steps: determine the security attribute of the target file, and obtain a judgment result; The file is isolated in the sandbox environment; in the sandbox environment, the target control policy matching the target file is obtained, and the permission control of the target file is performed based on the target control policy.
可选地,上述处理器还可以执行如下步骤的程序代码:基于安全属性判定目标文件是否属于预设白名单或预设黑名单;当目标文件属于预设白名单或预设黑名单时,确定判定结果为安全属性满足预设条件;当目标文件不属于预设白名单和预设黑名单时,确定判定结果为安全属性未满足预设条件。Optionally, the above-mentioned processor can also execute the program code of the following steps: determine whether the target file belongs to the preset whitelist or the preset blacklist based on the security attribute; when the target file belongs to the preset whitelist or the preset blacklist, determine The determination result is that the security attribute satisfies the preset condition; when the target file does not belong to the preset whitelist and the preset blacklist, the determination result is that the security attribute does not meet the preset condition.
可选地,上述处理器还可以执行如下步骤的程序代码:从云端服务器拉取多个候选管控策略;对多个候选管控策略进行解析,得到解析结果;将解析结果存储至沙盒环境关联的存储区域。Optionally, the above-mentioned processor may also execute the program code of the following steps: pulling multiple candidate management and control strategies from the cloud server; parsing the multiple candidate management and control strategies to obtain parsing results; storing the parsing results in a folder associated with the sandbox environment. storage area.
可选地,上述处理器还可以执行如下步骤的程序代码:获取目标文件的索引信息;基于目标文件的索引信息,从存储区域内存储的解析结果中获取与索引信息匹配的目标管控策略。Optionally, the above-mentioned processor may further execute the program code of the following steps: obtaining index information of the target file; and obtaining, based on the index information of the target file, a target management and control policy matching the index information from the analysis result stored in the storage area.
可选地,上述处理器还可以执行如下步骤的程序代码:当确定解析结果中未查找到与索引信息匹配的目标管控策略时,将默认管控策略确定为目标管控策略。Optionally, the above-mentioned processor may further execute the program code of the following steps: when it is determined that no target management and control strategy matching the index information is found in the parsing result, the default management and control strategy is determined as the target management and control strategy.
可选地,上述处理器还可以执行如下步骤的程序代码:基于目标管控策略对目标文件进行文件权限管控;基于目标管控策略对目标文件进行进程权限管控;基于目标管控策略对目标文件进行注册表权限管控;基于目标管控策略对目标文件进行网络访问权限管控。Optionally, the above-mentioned processor may also execute the program code of the following steps: perform file authority management and control on the target file based on the target management and control strategy; perform process authority management and control on the target file based on the target management and control strategy; register the target file based on the target management and control strategy. Permission management and control; network access permissions control for target files based on target management and control policies.
处理器可以通过传输装置调用存储器存储的信息及应用程序,以执行下述步骤:接收来自于客户端的目标文件;对目标文件的安全属性进行判定以得到判定结果,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,在沙盒环境中,获取目标文件匹配的目标管控策略,以及基于目标管控策略对目标文件进行权限管控;向客户端返回通知消息,其中,通知消息用于通知目标文件被隔离至沙盒环境并按照目标管控策略进行权限管控。The processor can call the information and the application program stored in the memory through the transmission device to perform the following steps: receiving the target file from the client; judging the security attribute of the target file to obtain a judgment result, when it is determined by the judgment result that the security attribute is not When the preset conditions are met, the target file is isolated to the sandbox environment. In the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. A notification message is returned to the client, Among them, the notification message is used to notify that the target file is isolated to the sandbox environment and the rights are controlled according to the target management and control policy.
在本发明实施例中,首先对目标文件的安全属性进行判定,得到判定结果,然后根据判定结果确定安全属性是否满足预设条件,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,进而在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控,达到了通过沙盒方案对文件进行隔离和权限管控的目的,从而实现了以灵活、稳定的方案降低目标文件的使用风险、提高系统安全性的技术效果,进而解决了相关技术中使用进程注入沙盒或系统沙盒的处理风险文件的方法其系统支持不足、处理效果差、灵活性低的技术问题。In the embodiment of the present invention, firstly, the security attribute of the target file is judged to obtain the judgment result, and then it is determined whether the security attribute meets the preset condition according to the judgment result, and when it is determined by the judgment result that the security attribute does not meet the preset condition, the target The file is isolated to the sandbox environment, and then in the sandbox environment, the target control policy matching the target file is obtained, and the target file is controlled based on the target control policy. The purpose is to achieve the technical effect of reducing the use risk of target files and improving system security with a flexible and stable solution, and then solve the method of processing risk files using process injection sandbox or system sandbox in related technologies. Its system support Inadequate, poor handling, and low flexibility of technical issues.
本领域普通技术人员可以理解,图9所示的结构仅为示意,计算机终端也可以是智能手机(如Android手机、iOS手机等)、平板电脑、掌上电脑以及移动互联网设备(MobileInternet Devices,MID)、PAD等终端设备。图9并不对上述电子装置的结构造成限定。例如,计算机终端还可包括比图9中所示更多或者更少的组件(如网络接口、显示装置等),或者具有与图9所示不同的配置。Those of ordinary skill in the art can understand that the structure shown in FIG. 9 is for illustration only, and the computer terminal can also be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a handheld computer, and a Mobile Internet Devices (MID) , PAD and other terminal equipment. FIG. 9 does not limit the structure of the above electronic device. For example, the computer terminal may also include more or less components than those shown in FIG. 9 (eg, network interface, display device, etc.), or have a different configuration than that shown in FIG. 9 .
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令终端设备相关的硬件来完成,该程序可以存储于一计算机可读存储介质中,存储介质可以包括:闪存盘、只读存储器(Read-Only Memory,ROM)、随机存取器(RandomAccess Memory,RAM)、磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above embodiments can be completed by instructing the hardware related to the terminal device through a program, and the program can be stored in a computer-readable storage medium, and the storage medium can Including: flash disk, read-only memory (Read-Only Memory, ROM), random access device (RandomAccess Memory, RAM), magnetic disk or optical disk, etc.
根据本发明实施例,还提供了一种存储介质的实施例。可选地,在本实施例中,上述存储介质可以用于保存上述实施例1所提供的文件处理方法所执行的程序代码。According to an embodiment of the present invention, an embodiment of a storage medium is also provided. Optionally, in this embodiment, the above-mentioned storage medium may be used to store the program code executed by the file processing method provided in the above-mentioned Embodiment 1.
可选地,在本实施例中,上述存储介质可以位于计算机网络中计算机终端群中的任意一个计算机终端中,或者位于移动终端群中的任意一个移动终端中。Optionally, in this embodiment, the above-mentioned storage medium may be located in any computer terminal in a computer terminal group in a computer network, or in any mobile terminal in a mobile terminal group.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:对目标文件的安全属性进行判定,得到判定结果;当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中;在沙盒环境中,获取目标文件匹配的目标管控策略,并基于目标管控策略对目标文件进行权限管控。Optionally, in this embodiment, the storage medium is set to store program codes for performing the following steps: judging the security attribute of the target file, and obtaining a judgment result; when it is determined through the judgment result that the security attribute does not meet the preset condition When , isolate the target file to the sandbox environment; in the sandbox environment, obtain the target control policy matching the target file, and control the permissions of the target file based on the target control policy.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:基于安全属性判定目标文件是否属于预设白名单或预设黑名单;当目标文件属于预设白名单或预设黑名单时,确定判定结果为安全属性满足预设条件;当目标文件不属于预设白名单和预设黑名单时,确定判定结果为安全属性未满足预设条件。Optionally, in this embodiment, the storage medium is set to store program codes for executing the following steps: determining whether the target file belongs to the preset whitelist or the preset blacklist based on the security attribute; When the target file is not included in the preset whitelist or preset blacklist, the determination result is that the security attribute meets the preset condition; when the target file does not belong to the preset whitelist and preset blacklist, the determination result is that the security attribute does not meet the preset condition.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:从云端服务器拉取多个候选管控策略;对多个候选管控策略进行解析,得到解析结果;将解析结果存储至沙盒环境关联的存储区域。Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: pulling multiple candidate management and control strategies from the cloud server; parsing the multiple candidate management and control strategies to obtain a parsing result; The parsing results are stored in the storage area associated with the sandbox environment.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:获取目标文件的索引信息;基于目标文件的索引信息,从存储区域内存储的解析结果中获取与索引信息匹配的目标管控策略。Optionally, in this embodiment, the storage medium is set to store program codes for performing the following steps: obtaining index information of the target file; Target control strategy for index information matching.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:当确定解析结果中未查找到与索引信息匹配的目标管控策略时,将默认管控策略确定为目标管控策略。Optionally, in this embodiment, the storage medium is set to store program codes for executing the following steps: when it is determined that no target management and control strategy matching the index information is found in the parsing result, the default management and control strategy is determined as the target. control strategy.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:基于目标管控策略对目标文件进行文件权限管控;基于目标管控策略对目标文件进行进程权限管控;基于目标管控策略对目标文件进行注册表权限管控;基于目标管控策略对目标文件进行网络访问权限管控。Optionally, in this embodiment, the storage medium is configured to store program codes for performing the following steps: performing file authority control on the target file based on the target management and control policy; performing process authority control on the target file based on the target management and control policy; The target management and control strategy controls the registry rights of the target file; based on the target management and control strategy, the network access rights of the target file are controlled.
可选地,在本实施例中,存储介质被设置为存储用于执行以下步骤的程序代码:接收来自于客户端的目标文件;对目标文件的安全属性进行判定以得到判定结果,当通过判定结果确定安全属性未满足预设条件时,将目标文件隔离至沙盒环境中,在沙盒环境中,获取目标文件匹配的目标管控策略,以及基于目标管控策略对目标文件进行权限管控;向客户端返回通知消息,其中,通知消息用于通知目标文件被隔离至沙盒环境并按照目标管控策略进行权限管控。Optionally, in this embodiment, the storage medium is configured to store program codes for executing the following steps: receiving a target file from a client; judging the security attributes of the target file to obtain a judgment result, when the judgment result is passed When it is determined that the security attribute does not meet the preset conditions, the target file is isolated in the sandbox environment, and in the sandbox environment, the target file matching target control policy is obtained, and the target file is controlled based on the target control policy. A notification message is returned, where the notification message is used to notify that the target file is isolated to the sandbox environment and permissions are controlled according to the target management and control policy.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.
在本发明的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present invention, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
在本发明所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed technical content may be implemented in other ways. The apparatus embodiments described above are only illustrative, for example, the division of the units is only a logical function division, and there may be other division methods in actual implementation, for example, multiple units or components may be combined or Integration into another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of units or modules, and may be in electrical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units may be implemented in the form of hardware, or may be implemented in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as an independent product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention is essentially or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes .
以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above are only the preferred embodiments of the present invention. It should be pointed out that for those skilled in the art, without departing from the principles of the present invention, several improvements and modifications can be made. It should be regarded as the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210177652.7A CN114662090A (en) | 2022-02-24 | 2022-02-24 | File processing method, device, storage medium and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210177652.7A CN114662090A (en) | 2022-02-24 | 2022-02-24 | File processing method, device, storage medium and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114662090A true CN114662090A (en) | 2022-06-24 |
Family
ID=82027737
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210177652.7A Pending CN114662090A (en) | 2022-02-24 | 2022-02-24 | File processing method, device, storage medium and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114662090A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115510429A (en) * | 2022-11-21 | 2022-12-23 | 统信软件技术有限公司 | Sandbox application access right control method, computing device and readable storage medium |
| CN117201067A (en) * | 2023-07-26 | 2023-12-08 | 中电云计算技术有限公司 | Security protection system, method, device, equipment and storage medium of cloud server |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| CN112580017A (en) * | 2020-12-25 | 2021-03-30 | 深信服科技股份有限公司 | Authentication method and device, electronic equipment and storage medium |
| WO2021109669A1 (en) * | 2019-12-05 | 2021-06-10 | 华为技术有限公司 | Method and device for detecting malicious domain name access, and computer readable storage medium |
-
2022
- 2022-02-24 CN CN202210177652.7A patent/CN114662090A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514401A (en) * | 2011-04-21 | 2014-01-15 | 北京奇虎科技有限公司 | Method and device for defense by utilization of sandbox technology and security browser |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
| CN110197064A (en) * | 2019-02-18 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Process handling method and device, storage medium and electronic device |
| WO2021109669A1 (en) * | 2019-12-05 | 2021-06-10 | 华为技术有限公司 | Method and device for detecting malicious domain name access, and computer readable storage medium |
| CN112580017A (en) * | 2020-12-25 | 2021-03-30 | 深信服科技股份有限公司 | Authentication method and device, electronic equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115510429A (en) * | 2022-11-21 | 2022-12-23 | 统信软件技术有限公司 | Sandbox application access right control method, computing device and readable storage medium |
| CN115510429B (en) * | 2022-11-21 | 2023-04-14 | 统信软件技术有限公司 | Sandbox application access right control method, computing device and readable storage medium |
| CN117201067A (en) * | 2023-07-26 | 2023-12-08 | 中电云计算技术有限公司 | Security protection system, method, device, equipment and storage medium of cloud server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11741222B2 (en) | Sandbox environment for document preview and analysis | |
| Tian et al. | Defending against malicious USB firmware with GoodUSB | |
| TWI420338B (en) | Secure browser-based applications | |
| US8881284B1 (en) | Method and system for secure network access using a virtual machine | |
| US11316683B2 (en) | Systems and methods for providing IoT security service using hardware security module | |
| US20130254889A1 (en) | Server-Side Restricted Software Compliance | |
| JP6576551B2 (en) | Techniques for creating virtual private containers | |
| WO2015096695A1 (en) | Installation control method, system and device for application program | |
| US20140380481A1 (en) | Portable security device and methods for detection and treatment of malware | |
| GB2548211A (en) | Evaluating installers and installer payloads | |
| US11233805B2 (en) | Centralized security assessments of scripts in network environments | |
| GB2551813A (en) | Mobile device policy enforcement | |
| EP3345112B1 (en) | Thresholds on scripts executable by unified extensible firmware interface systems | |
| JP6018316B2 (en) | Terminal authentication registration system, terminal authentication registration method and program | |
| JP2018531459A6 (en) | Techniques for creating virtual private containers | |
| CN114662090A (en) | File processing method, device, storage medium and system | |
| CN107820702A (en) | A kind of management-control method, device and electronic equipment | |
| US11232198B2 (en) | Dynamic visualization of scripts based on centralized security assessments | |
| CN114189553B (en) | Flow playback method, system and computing device | |
| CN103023943A (en) | Method, device and terminal equipment for task processing | |
| CN114465766B (en) | SSH-based remote access method, device, electronic equipment and storage medium | |
| US20230214533A1 (en) | Computer-implemented systems and methods for application identification and authentication | |
| CN115208671B (en) | Firewall configuration method, device, electronic equipment and storage medium | |
| CN112398791B (en) | Method and device for protecting website from tampering, system, storage medium and electronic device | |
| CN114861160A (en) | Method and device, device, and storage medium for enhancing authority of non-administrator account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |