CN117668834A

CN117668834A - Virus detection method and device, electronic equipment and storage medium

Info

Publication number: CN117668834A
Application number: CN202211018624.7A
Authority: CN
Inventors: 刘遵一
Original assignee: Chengdu Huawei Technology Co Ltd
Current assignee: Chengdu Huawei Technology Co Ltd
Priority date: 2022-08-24
Filing date: 2022-08-24
Publication date: 2024-03-08
Also published as: WO2024040977A1

Abstract

The application relates to a virus detection method, a virus detection device, electronic equipment and a storage medium. Wherein the method may comprise: acquiring historical information of virus detection corresponding to a target file in a storage system; determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file; under the condition that the virus detection is carried out on the target file, sending a request for carrying out the virus detection on the target file to a target anti-virus system; therefore, whether the target file is subjected to virus detection or not is determined according to the history information of virus detection corresponding to the target file, and repeated virus detection on file contents subjected to virus detection can be avoided on the premise of ensuring data safety, so that network bandwidth overhead is saved, virus detection time is saved, and virus detection efficiency and read-write performance of a storage system are improved.

Description

Virus detection method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of computer security, and in particular, to a method and apparatus for detecting viruses, an electronic device, and a storage medium.

Background

The Anti-Virus (AV) technology is a technology for protecting user data security, and has the functions of monitoring and preventing viruses in real time, scanning viruses or removing viruses, and the like, and maintains the security of user computer resources. Network attached storage (Network Attached Storage, NAS) antivirus, which is a value added feature in NAS storage systems, generally cooperates with antivirus software to protect data security of files in the NAS storage systems, thereby effectively preventing files of the NAS storage systems from being tampered with by viruses, and protecting reliable operation of the entire NAS storage systems.

However, the existing manner of protecting NAS against viruses consumes a lot of network bandwidth and consumes a lot of time, which is inefficient.

Disclosure of Invention

In view of this, a virus detection method, apparatus, electronic device, and storage medium are provided.

In a first aspect, embodiments of the present application provide a method for detecting a virus, the method comprising: acquiring historical information of virus detection corresponding to a target file in a storage system; wherein the history information of virus detection includes: whether at least one of virus detection, the number of times of virus detection, the time of virus detection, configuration information of an antivirus system that performs virus detection has been experienced; determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file; and under the condition that the virus detection is carried out on the target file, sending a request for carrying out the virus detection on the target file to a target antivirus system.

Based on the technical scheme, the historical information of virus detection corresponding to the target file can represent the related information of virus detection experienced by the content of the target file; whether the target file is subjected to virus detection or not is determined according to the historical information of virus detection corresponding to the target file, and repeated virus detection on the file content subjected to virus detection can be avoided on the premise of ensuring data safety, so that network bandwidth overhead is saved, virus detection time is saved, and virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a first possible implementation manner of the first aspect, the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file, and/or history information of virus detection corresponding to a file fingerprint of the target file in an index library; the index library comprises at least one file fingerprint and virus detection history information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection history information corresponding to the at least one file fingerprint comprises latest history information in virus detection history information corresponding to each file associated with the at least one file fingerprint.

In a second possible implementation manner of the first aspect according to the first aspect or the first possible implementation manner of the first aspect, the history information of virus detection corresponding to the target file includes: historical information of virus detection in the target file metadata; the obtaining the history information of virus detection corresponding to the target file includes: and reading the history information of virus detection corresponding to the target file in the metadata of the target file.

Based on the technical scheme, after a file is subjected to virus detection and no virus is confirmed, if the content of the file is not changed, the content of the file is still safe, and the virus detection can not be repeated on the file; therefore, the historical information of virus detection in the metadata of the target file is read, the historical information of virus detection corresponding to the target file is rapidly obtained, whether the target file is subjected to virus detection or not is further determined according to the historical information of virus detection in the metadata of the target file, and the repeated virus detection on the file content subjected to virus detection can be avoided on the premise that the data safety is ensured, so that the network bandwidth cost is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a third possible implementation manner of the first aspect according to the first aspect or the first possible implementation manner of the first aspect, the history information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in an index library; the obtaining the history information of virus detection corresponding to the target file includes: determining a target file fingerprint of the target file; and selecting historical information of virus detection corresponding to the target file fingerprint from the index library according to the target file fingerprint.

Based on the above technical solution, the fingerprint of the target file is associated with one or more files in the storage system, that is, the content of the one or more files is identical, if any one of the one or more files is confirmed to be safe through virus detection, the content of the other files can be considered to be safe, and the virus detection can be not repeated for the other files; therefore, the historical information of virus detection corresponding to the target file fingerprint is queried in the index library, whether the target file is subjected to virus detection is determined according to the historical information of virus detection corresponding to the target file fingerprint, and the repeated virus detection on the file content subjected to the virus detection can be avoided on the premise of ensuring the data safety, so that the network bandwidth cost is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a fourth possible implementation manner of the first aspect according to the second possible implementation manner of the first aspect, the history information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file and the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; the determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file includes: determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition; according to the target file fingerprint, selecting historical information of virus detection corresponding to the target file fingerprint from the index library; and determining to perform virus detection on the target file under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition.

Based on the technical scheme, whether the target file is subjected to virus detection or not is determined according to the history information of virus detection in the metadata of the target file and the history information of virus detection corresponding to the fingerprint of the target file in the index library, and the repeated virus detection on the file content subjected to the virus detection can be avoided on the premise of ensuring the data safety, so that the network bandwidth overhead is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a fifth possible implementation manner of the first aspect according to the first aspect or the various possible implementation manners of the first aspect, the method further includes: obtaining a result of virus detection on the target file fed back by the target anti-virus system; and updating the history information of virus detection corresponding to the target file according to the result of virus detection.

Based on the technical scheme, the historical information of virus detection corresponding to the target file is updated according to the virus detection result, so that the historical information of virus detection corresponding to the target file can be ensured to be the latest historical information of virus detection, and whether the target file is subjected to virus detection or not can be determined based on the latest historical information of virus detection when a virus detection task is triggered next time.

In a sixth possible implementation manner of the first aspect according to the fourth possible implementation manner of the first aspect, the method further includes: and under the condition that the history information of virus detection corresponding to the target file fingerprint meets a second preset condition, determining that virus detection is not carried out on the target file, and updating the history information of virus detection in the metadata of the target file.

Based on the technical scheme, the historical information of virus detection corresponding to the target file fingerprint meets the second preset condition, which indicates that the file content corresponding to the target file fingerprint is subjected to virus detection and has no virus, namely, the content of the target file is subjected to virus detection and has no virus, the historical information of virus detection in the target file metadata can be updated, so that the historical information of virus detection in the target file metadata is ensured to be the latest historical information of virus detection, and whether the target file needs to be subjected to virus detection or whether the target file fingerprint needs to be acquired is quickly determined through the historical information of virus detection in the target file metadata when a virus detection task is triggered next time.

In a second aspect, embodiments of the present application provide a virus detection device, the device comprising: the acquisition module is used for acquiring the historical information of virus detection corresponding to the target file in the storage system; wherein the history information of virus detection includes: whether at least one of virus detection, the number of times of virus detection, the time of virus detection, configuration information of an antivirus system that performs virus detection has been experienced; the determining module is used for determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file; and the request module is used for sending a request for detecting viruses of the target file to the target antivirus system under the condition that the viruses of the target file are detected.

In a first possible implementation manner of the second aspect according to the second aspect, the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file, and/or the history information of virus detection corresponding to a file fingerprint of the target file in an index library; the index library comprises at least one file fingerprint and virus detection history information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection history information corresponding to the at least one file fingerprint comprises latest history information in virus detection history information corresponding to each file associated with the at least one file fingerprint.

In a second possible implementation manner of the second aspect or the first possible implementation manner of the second aspect, the history information of virus detection corresponding to the target file includes: historical information of virus detection in the target file metadata; the acquisition module is further configured to read, in the metadata of the target file, historical information of virus detection corresponding to the target file.

Based on the technical scheme, after a file is subjected to virus detection and no virus is confirmed, if the content of the file is not changed, the content of the file is still safe, and the virus detection can not be repeated on the file; therefore, the historical information of virus detection in the metadata of the target file is read, the historical information of virus detection corresponding to the target file is rapidly obtained, whether the target file is subjected to virus detection is determined according to the historical information of virus detection in the metadata of the target file, and the repeated virus detection on the file content subjected to virus detection can be avoided on the premise of ensuring the data safety, so that the network bandwidth cost is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a third possible implementation manner of the second aspect according to the second aspect or the first possible implementation manner of the second aspect, the history information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in an index library; the acquisition module is further configured to: determining a target file fingerprint of the target file; and selecting historical information of virus detection corresponding to the target file fingerprint from the index library according to the target file fingerprint.

In a fourth possible implementation manner of the second aspect according to the second possible implementation manner of the second aspect, the history information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file and the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; the determining module is further configured to: determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition; according to the target file fingerprint, selecting historical information of virus detection corresponding to the target file fingerprint from the index library; and determining to perform virus detection on the target file under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition.

In a fifth possible implementation manner of the second aspect according to the second aspect or the various possible implementation manners of the second aspect, the apparatus further includes: the result feedback module is used for acquiring a result of virus detection on the target file, which is fed back by the target anti-virus system; and the updating module is used for updating the history information of virus detection corresponding to the target file according to the result of virus detection.

In a fourth possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the apparatus further includes: and the metadata updating module is used for determining that the target file is not subjected to virus detection under the condition that the history information of virus detection corresponding to the target file fingerprint meets a second preset condition, and updating the history information of virus detection in the target file metadata.

In a third aspect, embodiments of the present application provide an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the virus detection method of the first aspect or one or more of the first aspects when executing the instructions.

In a fourth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the virus detection method of the first aspect or one or more of the first aspects.

In a fifth aspect, embodiments of the present application provide a computer program product which, when run on a computer, causes the computer to perform the virus detection method of the first aspect or one or more of the first aspects described above.

Technical effects of the third to fifth aspects described above can be seen in the first or second aspects described above.

Other features and aspects of the present application will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate exemplary embodiments, features and aspects of the present application and together with the description, serve to explain the principles of the present application.

Fig. 1 shows a schematic diagram of a suitable scenario of a virus detection method according to an embodiment of the present application.

Fig. 2 shows a flow chart of a virus detection method according to an embodiment of the present application.

FIG. 3 shows a schematic diagram of an index library according to an embodiment of the present application.

Fig. 4 is a schematic diagram of history information of virus detection corresponding to the file fingerprint 1 according to an embodiment of the present application.

Fig. 5 shows a flowchart of a virus detection method according to an embodiment of the present application.

FIG. 6 shows a flow chart of a method of virus detection according to an embodiment of the present application.

Fig. 7 shows a flowchart of a virus detection method according to an embodiment of the present application.

Fig. 8 is a schematic structural diagram of a virus detection device according to an embodiment of the present application.

Fig. 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

Various exemplary embodiments, features and aspects of the present application will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Although various aspects of the embodiments are illustrated in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise. The word "exemplary" is used herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. In addition, numerous specific details are set forth in the following detailed description in order to provide a better understanding of the present application. It will be understood by those skilled in the art that the present application may be practiced without some of these specific details.

In the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: including the case where a alone exists, both a and B together, and B alone, where a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

An application scenario adapted to the embodiment of the present application is first illustrated below.

Fig. 1 shows a schematic diagram of a suitable scenario of a virus detection method according to an embodiment of the present application. As shown in fig. 1, the scenario may include a storage system 10, an anti-virus system 20; wherein the storage system 10 may be connected to the anti-virus system 20 via a wired or wireless network.

Wherein, the storage system 10 may include an antivirus unit, which is configured to send a virus detection request to the antivirus system 20, and trigger virus detection; the virus detection request may include a storage path of the target file or content of the target file. Illustratively, the storage system 10 may be a NAS storage system; the NAS storage System may include 1-n File Systems (FS) therein for storing and organizing data to determine corresponding files according to File path information. In some examples, an administrator may configure anti-virus functions in storage system 10 through a graphical management interface or Command Line Interface (CLI) in advance; the anti-virus unit may send a virus detection request to the anti-virus system 20 when virus detection of a file in the storage system 10 is required.

The antivirus system 20 is used for performing virus detection and virus killing processing on files. The anti-virus system 20 may be external to the storage system 10 or may be deployed within the storage system 10, as is not limited in this regard. In some examples, the anti-virus system 20 may be configured with an anti-virus Server (AV Server), also referred to as an anti-virus Engine (AV Engine), through which virus detection may be performed by installed anti-virus software; if the path of the target file is transmitted by the storage system 10, the content of the target file is acquired from the storage system 10 according to the path of the target file by the anti-virus server through a file access protocol, for example, a network file system (Network File System, NFS) protocol, an SMB protocol, a general Internet file system (Common Internet File System, CIFS) protocol, an Internet content adaptation protocol (Internet Content Adaptation Protocol, ICAP), or the like, thereby performing virus detection; if the storage system 10 sends the content of the target file, the antivirus server directly performs virus detection on the content of the target file, so as to determine whether the target file has viruses. In other examples, the anti-virus system 20 may also be configured with an anti-virus Agent (Av Agent) to provide a proxy service for the anti-virus server to obtain information sent by the storage system 10.

Illustratively, a client 30 may also be included in the scenario, which may be, for example, a server information block (Server Message Block, SMB) client (client); a user may send an operation access request to the storage system 10 through the client 30, so as to perform operations such as opening, writing, saving, relationship, or reading on files in the storage system 10.

In the related art, when a user performs operation Access to a target file in the storage system 10, triggering to perform an online virus detection task On the target file, which is also called On-Access Scanning (On-Access Scanning); or an administrator may configure the global or local anti-virus scanning of files in storage system 10 on a periodic basis (e.g., during idle periods such as the early morning hours) to trigger storage system 10 to actively perform background virus detection tasks on target files. When triggering an online virus detection task for a target file or triggering the storage system 10 to actively perform a background virus detection task for the target file, the storage system 10 needs to send a request for performing virus detection on the target file to the antivirus system 20, after receiving the virus detection request, the antivirus system 20 obtains the content of the target file (directly receives the content of the target file sent by the storage system 10, or obtains the content of the target file according to the path of the target file sent by the storage system 10), and performs virus detection on the obtained content of the target file. Since a large number of files are usually stored in the storage system, when the virus detection task is triggered, the contents of the target files in the storage system 10 need to be transmitted to the antivirus system 20, so that a large amount of network Input Output (IO) transmission bandwidth and time are consumed, and the efficiency is low. In addition, when the online virus detection task is triggered, the user cannot open and access the target file before the virus detection of the target file is completed by the antivirus system 20, so that the read-write performance of the storage system 10 is greatly affected.

Considering that there are a large number of duplicate files, such as files with disaster recovery characteristics such as data copying, snapshot, cloning, copying, etc., among the massive files stored in the storage system 10, the contents of these duplicate files are identical, if one of the duplicate files is confirmed to be safe by virus detection, the contents of other files in the duplicate files can be considered to be safe, and virus detection may not be repeated for other files in the duplicate files; in addition, after a file is confirmed to be virus-free through virus detection, if the content of the file is not changed, the content of the file is still safe, and the virus detection can not be repeated on the file; based on the above, the embodiment of the application provides a virus detection method (see below for detailed description), which can skip file contents which are subjected to virus detection on the premise of ensuring data security, and avoid sending repeated file contents to an anti-virus system for virus detection, thereby saving network bandwidth overhead, saving virus detection time and improving virus detection efficiency; in addition, when triggering the online virus detection task, the user can timely open the target file, so that the read-write performance of the storage system 10 is improved.

It should be noted that, the above application scenario described in the embodiments of the present application is for more clearly describing the technical solution of the embodiments of the present application, and does not constitute a limitation on the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, for other similar or new scenarios, the technical solution provided in the embodiments of the present application is equally applicable to similar technical problems. For example, the virus detection methods described herein are equally applicable to other storage systems, such as object-based storage systems, distributed file systems (Distributed File System, HDFS), large data storage systems, and the like.

The following describes in detail the virus detection method provided in the embodiment of the present application, taking the scenario shown in fig. 1 as an example.

Fig. 2 shows a flow chart of a virus detection method according to an embodiment of the present application. The method may be performed by the anti-virus unit of fig. 1 described above, for example. As shown in fig. 2, the method may include the steps of:

s201, acquiring historical information of virus detection corresponding to a target file in a storage system.

For example, when a virus detection task is triggered, historical information of virus detection corresponding to a target file in a storage system can be obtained; for example, when a user performs operation access to a target file in a storage system, triggering an online virus detection task to the target file, and acquiring history information of virus detection corresponding to the target file by an antivirus unit; for another example, when the storage system is triggered to actively perform a background virus detection task on the target file, the antivirus unit may obtain history information of virus detection corresponding to the target file. As one example, the storage system may be storage system 10 shown in FIG. 1 described above.

The history information of virus detection corresponding to the target file can represent relevant information of virus detection experienced by the content of the target file; the history information of virus detection may include: whether at least one of virus detection, the number of virus detections, the virus detection time, and configuration information of an antivirus system that performs the virus detection has been experienced.

Wherein whether the content of one file has been subjected to virus detection indicates whether the content of one file has been subjected to virus detection; for example, having undergone virus detection means that the content of one file has undergone virus detection before the current time and it is determined that there is no virus, and having not undergone virus detection means that the content of one file has not undergone virus detection before the current time. The virus detection number indicates the number of times the content of one file is subjected to virus detection. The virus detection time indicates a time when the content of one file is subjected to virus detection, and may be, for example, the latest virus detection time, that is, a time when the content of the file is subjected to virus detection last time. The configuration information of the antivirus system that performs virus detection indicates configuration information of the antivirus system that performs virus detection when the content of one file is subjected to virus detection, for example, configuration information of the antivirus system that performs the latest virus detection may be the configuration information of the antivirus system; for example, the antivirus system performing virus detection may include antivirus software, and the configuration information of the antivirus system may be a version number of the antivirus software.

For example, when the content of one file changes, such as writing new content or deleting part of content in one file, or when the content of one file is determined to have virus through virus detection, the history information of virus detection corresponding to the file may be updated to a default value; as one example, the default values may include one or more of not experienced virus detection, a number of virus detections of 0, a virus detection time of null, or configuration information of an anti-virus system performing virus detection being in air.

In one possible implementation, the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file. That is, at least one item of configuration information of an antivirus system that performs virus detection when the content of the target file is subjected to virus detection, the number of times the content of the target file is subjected to virus detection, the time the content of the target file is subjected to virus detection, and the content of the target file is subjected to virus detection may be recorded in the target file metadata. For example, the antivirus unit may read history information of virus detection corresponding to the target file in metadata of the target file.

As one example, taking as an example whether the history information of virus detection in the metadata of the target file includes the content of the target file has undergone virus detection. For example, when the contents of the target file have been subject to virus detection and no virus is confirmed, a "scanned" tag may be recorded in the target file metadata, thereby characterizing that the contents of the target file have been subject to virus detection; if the contents of the target file change, there is a risk of intrusion by viruses, the "scanned" flag is cleared in the target file metadata, thereby characterizing that the modified contents of the target file have not undergone virus detection.

As another example, the history information of virus detection in the target file metadata includes a time at which the content of the target file underwent virus detection. For example, when the content of the target file is subjected to virus detection and no virus is confirmed, the time of the virus detection may be recorded in the metadata of the target file; if the content of the target file is again subjected to virus detection and it is confirmed that there is no virus, the time of virus detection described in the metadata of the target file may be updated according to the time of the last virus detection.

As another example, taking as an example that history information of virus detection in the target file metadata includes configuration information of an antivirus system that performs virus detection when the content of the target file is subjected to virus detection. For example, when the content of the target file is subjected to virus detection and no virus is confirmed, the version number of the antivirus software for executing the virus detection can be recorded in the metadata of the target file; if the content of the target file is subjected to virus detection again and no virus is confirmed, the version number of the antivirus software recorded in the metadata of the target file can be updated according to the version number of the antivirus software executing the virus detection.

As another example, taking as an example that the history information of virus detection in the metadata of the target file includes the number of times the content of the target file is subjected to virus detection. For example, each time the content of the target file is subjected to virus detection and no virus is confirmed, the number of times of virus detection recorded in the history information of virus detection corresponding to the target file may be increased by 1.

As another example, taking as an example whether the history information of virus detection in the target file metadata includes the content of the target file has undergone virus detection and the time at which the content of the target file has undergone virus detection. When the target file is subjected to virus detection and no virus is confirmed, the scanned mark and the time of the virus detection can be recorded in the metadata of the target file.

As another example, the history information of virus detection in the target file metadata may include whether the content of the target file has undergone virus detection, the time at which the content of the target file has undergone virus detection, and configuration information of an antivirus system that performs virus detection when the content of the target file has undergone virus detection; when the target file is subjected to virus detection and no virus is confirmed, the scanned mark, the time of the virus detection and the configuration information of an antivirus system for executing the virus detection can be recorded in the metadata of the target file.

In one possible implementation, the history information of virus detection corresponding to the target file may include the history information of virus detection corresponding to the file fingerprint of the target file in the index library; for example, the antivirus unit may query the index library for history information of virus detection corresponding to a target file fingerprint of the target file.

The index library comprises at least one file fingerprint and virus detection historical information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection historical information corresponding to the at least one file fingerprint comprises the latest historical information in the virus detection historical information corresponding to each file associated with the at least one file fingerprint.

As one example, for a target file, when the target file is closed after the target file is created in the storage system and the content is written, a file fingerprint of the target file may be calculated according to the content of the target file; the file fingerprint can be obtained through the existing mode of calculating the file fingerprint. For example, a file fingerprint of the target file may be recorded in metadata of the target file. Thus, traversing each file in the storage system, and obtaining the file fingerprint of each file; further summarizing the file fingerprints of all the files to obtain a plurality of different file fingerprints; wherein, the file fingerprints of the files with the same content are the same, and the file fingerprints of the files with different content are different. Further, for any file fingerprint, summarizing the history information of virus detection corresponding to each file associated with the file fingerprint, so that the latest history information in the history information of virus detection corresponding to each associated file is used as the history information of virus detection corresponding to the file fingerprint; finally, an index record (namely, the history information of virus detection corresponding to the file fingerprint) taking the file fingerprint as a key is inserted into the index library, so that the index library is established; the index library may be recorded with at least one of virus detection, the number of times of virus detection, the time of virus detection, and configuration information of an antivirus system that performs virus detection.

For example, fig. 3 shows a schematic diagram of an index library according to an embodiment of the present application, as shown in fig. 3, the index library may include a plurality of file fingerprints, namely file fingerprint 1, file fingerprint 2, file fingerprint 3 and file fingerprint …, respectively; the history information of virus detection corresponding to each file fingerprint may include whether the file content corresponding to the file fingerprint has undergone virus detection, the time when the file content corresponding to the file fingerprint has undergone virus detection, and the version number of antivirus software executing virus detection when the file content corresponding to the file fingerprint has undergone virus detection. For example, the history information of the virus detection corresponding to the file fingerprint 1 in fig. 3 includes: the virus detection is carried out, the virus detection time is T1, and the version number of antivirus software for executing the virus detection is P1; for another example, the history information of virus detection corresponding to the file fingerprint 3 includes: virus detection is not performed, virus detection time is empty, and virus killing software version number for executing virus detection is empty.

For example, if the content of a certain file in the storage system changes, for example, after operations such as adding, deleting, and rewriting the content of the certain file, the file fingerprint of the certain file is recalculated, and if the content of the certain file is detected by viruses and it is determined that viruses exist, the content of the certain file is also changed after virus killing processing, the file fingerprint of the certain file is recalculated; or if a new file exists in the storage system, the file fingerprint of the new file can be calculated. Further, the historical information of virus detection corresponding to the latest file fingerprint in the index library can be updated; if the latest file fingerprint is not queried in the index library, an index record taking the latest file fingerprint as a key can be inserted in the index library.

For any file fingerprint, determining whether the content of each file corresponding to the file fingerprint is subjected to virus detection according to the information about whether the content of each file associated with the file fingerprint is subjected to virus detection, if the content of any file in each associated file is subjected to virus detection, that is, the latest information about whether the content of any file is subjected to virus detection, the history information of the virus detection corresponding to the file fingerprint includes the information about the content of each file subjected to virus detection; for example, a "scanned" mark may be added to the index record corresponding to the file fingerprint in the index library; if the content of each associated file is not subjected to virus detection, the history information of virus detection corresponding to the file fingerprint comprises information which is not subjected to virus detection. For any file fingerprint, the latest virus detection time can be selected from the virus detection times corresponding to the files associated with the file fingerprint as the virus detection time corresponding to the file fingerprint. For any file fingerprint, the latest configuration information of the antivirus system can be selected from the configuration information of the antivirus system for performing virus detection corresponding to each file associated with the file fingerprint, and the latest configuration information of the antivirus system is used as the configuration information of the antivirus system for performing virus detection corresponding to the file fingerprint; for example, the latest antivirus version number of the antivirus version numbers of the execution viruses corresponding to the files associated with the file fingerprint may be used as the antivirus version number of the execution viruses corresponding to the file fingerprint.

For example, fig. 4 shows a schematic diagram of history information of virus detection corresponding to a file fingerprint 1 according to an embodiment of the present application, as shown in fig. 4, a file B and a file C in a storage system are new files obtained by performing operations such as data copying, snapshot, cloning or copying on a file a, the content of the file B and the content of the file C are the same, and the file fingerprints of the file a, the file B and the file C are the same, namely, the file fingerprint 1 is associated with the file a, the file B and the file C in the storage system. The history information of virus detection corresponding to the file A comprises that the content of the file A is subjected to virus detection, the virus detection time is 2022, 1 month, 1 day and 15 hours, and the antivirus software version number is p1; the history information of virus detection corresponding to the file B is that the content of the file B is subjected to virus detection, the virus detection time is 2022, 1 month and 1 day 13, and the virus killing software version number is p2; the historical information of virus detection corresponding to the file C is that the content of the file C is not subjected to virus detection, the virus detection time is empty, and the antivirus software version number is empty. Since the contents of the file a and the file B undergo virus detection, that is, whether the latest information that has undergone virus detection is that which has undergone virus detection, it can be determined that the virus detection history information corresponding to the file fingerprint 1 includes the information that has undergone virus detection; the virus detection time corresponding to the file A is later than the virus detection time corresponding to the file B, namely the latest virus detection time is the virus detection time corresponding to the file A, and the virus detection time corresponding to the file fingerprint 1 can be determined to be 2022, 1 month, 1 day and 15 hours; the antivirus software version number p1 corresponding to the file a is updated relative to the antivirus software version number p2 corresponding to the file B, that is, the latest antivirus software version number for executing virus detection is p1, and then the antivirus software version number corresponding to the file fingerprint 1 can be determined to be p1.

In one possible implementation, the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file and history information of virus detection corresponding to a file fingerprint of the target file in an index library.

The type of the virus detection history information in the metadata of the target file may be the same as or different from the type of the virus detection history information corresponding to the file fingerprint of the target file in the index library, which is not limited. For example, the history information of virus detection in the metadata of the target file may include whether virus detection has been experienced, and the history information of virus detection corresponding to the file fingerprint of the target file may include virus detection time; for another example, the history information of the virus detection in the metadata of the target file may include whether the virus detection has been performed, and the history information of the virus detection corresponding to the file fingerprint of the target file may include whether the virus detection has been performed.

S202, determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file.

For example, it may be determined that virus detection is not performed on the target file if history information of virus detection corresponding to the target file satisfies a preset condition; and under the condition that the historical information of virus detection corresponding to the target file does not meet the preset condition, determining to detect the virus of the target file.

As an example, taking the example that the history information of the virus detection corresponding to the target file includes whether the virus detection has been performed, the corresponding preset condition may include that the content of the target file has been subjected to the virus detection. For example, if a "scanned" mark exists in the history information of the virus detection corresponding to the target file, which indicates that the content of the target file is subjected to the virus detection, it is determined that the virus detection is not performed on the target file; and if the history information of virus detection corresponding to the target file does not have the scanned mark, determining to detect the virus of the target file.

As another example, taking an example that the virus detection history information corresponding to the target file includes a virus detection time, the corresponding preset condition may include that an interval between the virus detection time and the current time in the virus detection history information corresponding to the target file does not exceed a preset time interval. If the interval between the virus detection time and the current moment in the virus detection historical information corresponding to the target file does not exceed the preset time interval, determining that the virus detection is not carried out on the target file; if the interval between the virus detection time and the current moment in the virus detection historical information corresponding to the target file exceeds the preset time interval, determining that the target file is subjected to virus detection if the content of the target file has the risk of virus infection; the value of the preset time interval may be set as required, which is not limited.

As another example, taking an example that the history information of virus detection corresponding to the target file includes the number of times of virus detection, the corresponding preset condition may include that the number of times of virus detection in the history information of virus detection corresponding to the target file does not exceed the preset number of times of detection. If the virus detection times in the history information of the virus detection corresponding to the target file reach the preset detection times, determining that the virus detection is not carried out on the target file; if the virus detection times in the history information of the virus detection corresponding to the target file do not reach the preset detection times, determining to detect the virus of the target file; the number of the preset detection times may be set as needed, which is not limited.

As another example, taking an example that the history information of the virus detection corresponding to the target file includes configuration information of an antivirus system that performs virus detection, the corresponding preset condition may include that the configuration information of the antivirus system that performs virus detection is identical to the configuration information of the target antivirus system (i.e., the antivirus system that currently performs virus detection). For example, if the version number of the antivirus software in the history information of virus detection corresponding to the target file is the same as the version number of the antivirus software currently executing virus detection, the target file can be skipped, and virus detection is not performed on the target file; if the version number of the antivirus software in the history information of virus detection corresponding to the target file is different from the version number of the antivirus software currently executing virus detection (for example, the version number of the antivirus software is changed due to the fact that the antivirus software is updated), the virus detection is determined to be performed on the target file.

As another example, taking the example that the history information of the virus detection corresponding to the target file includes whether the virus detection and the virus detection time have been elapsed, the corresponding preset condition may be that the content of the target file has been subjected to the virus detection, and the interval between the virus detection time and the current time in the history information of the virus detection corresponding to the target file does not exceed the preset time interval. For example, if a scanned mark exists in the history information of virus detection corresponding to the target file and the interval between the virus detection time and the current time in the history information of virus detection corresponding to the target file does not exceed a preset time interval, determining that virus detection is not performed on the target file; otherwise, determining to detect the virus of the target file.

As another example, taking as an example whether the history information of the virus detection corresponding to the target file includes the virus detection, the virus detection time, and the configuration information of the antivirus system that performs the virus detection; the corresponding preset condition may be that the content of the target file is subjected to virus detection, the interval between the virus detection time and the current moment in the history information of the virus detection corresponding to the target file does not exceed the preset time interval, and the configuration information of the antivirus system executing the virus detection is the same as the configuration information of the target antivirus system. For example, if a scanned mark exists in the history information of virus detection corresponding to the target file, the interval between the virus detection time and the current moment in the history information of virus detection corresponding to the target file does not exceed a preset time interval, and the version number of the virus killing software in the history information of virus detection corresponding to the target file is the same as the version number of the virus killing software currently executing virus detection, determining that virus detection is not performed on the target file; otherwise, determining to detect the virus of the target file.

S203, when the virus detection is determined to be performed on the target file, a request for performing the virus detection on the target file is sent to the target anti-virus system.

For example, the storage system may be connected wirelessly or by wire to one or more anti-virus systems, and may send a request for virus detection of the target file to the target anti-virus system if it is determined to be virus-detected. As one example, the target anti-virus system may be the anti-virus system 20 of fig. 1 described above.

The request for virus detection may also include, for example, a path of the target file or content of the target file, such that the target anti-virus system performs virus detection on the target file. For example, in the case of determining that virus detection is performed on the target file, the antivirus unit may send the path of the target file to the target antivirus system, and the target antivirus system acquires the content of the target file from the storage system through the file access protocol based on the path of the target file, and then performs virus detection, so as to determine whether there is a virus in the content of the target file; for another example, the antivirus unit may send the content of the target file to the target antivirus system device, where the target antivirus system directly performs virus detection on the received content of the target file, so as to determine whether there is a virus in the content of the target file.

For example, in the event that it is determined that virus detection is not performed on the target file, virus detection of the target file may be skipped. For example, when triggering an online virus detection task, if it is determined that virus detection is not performed on the target file, the user may be directly allowed to perform an operation on the target file.

In a possible implementation manner, after the step S203 is performed, a result of virus detection on the target file fed back by the target antivirus system may also be obtained; and updating the history information of virus detection corresponding to the target file according to the result of virus detection. So that the next time the virus detection task is triggered, it is determined whether to perform virus detection on the target file based on the latest history information of virus detection.

As an example, if there is no "scanned" mark in the history information of virus detection corresponding to the target file; if the target antivirus system detects the target file, the target antivirus system confirms that the target file has no virus, and the target file can be fed back to the antivirus unit that the target file has no virus; the antivirus unit may add a "scanned" flag to the history information of virus detection corresponding to the target file. If the history information of virus detection corresponding to the target file has a scanned mark; if the target antivirus system detects viruses of the target file, the target antivirus system confirms that the target file has viruses, then the target file can be sterilized (for example, some or all of the contents in the target file are deleted, isolated and the like), and the target file has viruses is fed back to the antivirus unit, and the antivirus unit can delete the scanned mark in the history information of virus detection corresponding to the sterilized target file due to the change of the contents of the target file.

As another example, if the target antivirus system confirms that the target file has no virus after performing virus detection on the target file, the antivirus unit may feed back the target file has no virus and the current virus detection time to the antivirus unit, and the antivirus unit may update the virus detection time in the history information of virus detection corresponding to the target file to the current virus detection time. If the target antivirus system confirms that the target file has viruses after virus detection is carried out on the target file, the target antivirus system can disinfect the target file, the target file has viruses is fed back to the antivirus unit, and the antivirus unit can update the virus detection time in the history information of virus detection corresponding to the target file to be a default value.

As another example, if the target antivirus system confirms that the target file is free of viruses after virus detection is performed on the target file, the antivirus system may feed back to the antivirus unit that the target file is free of viruses and the version number of the antivirus software that performs the virus detection; the antivirus unit may update the version number of the antivirus software executing the virus detection in the history information of the virus detection corresponding to the target file to the version number of the antivirus software executing the virus detection. If the target antivirus system confirms that the target file has viruses after the target antivirus system detects viruses of the target file, the target file can be sterilized, viruses of the target file are fed back to the antivirus unit, and the antivirus unit can update the version number of antivirus software for executing virus detection in historical information of virus detection corresponding to the target file to be a default value.

In the embodiment of the present application, the history information of virus detection corresponding to the target file may represent relevant information of virus detection experienced by the content of the target file; whether the target file is subjected to virus detection or not is determined according to the historical information of virus detection corresponding to the target file, and repeated virus detection on the file content subjected to virus detection can be avoided on the premise of ensuring data safety, so that network bandwidth overhead is saved, virus detection time is saved, and virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

The virus detection method in the embodiment of the present application is described below by taking an example in which the history information of virus detection corresponding to the target file includes the history information of virus detection in metadata of the target file.

Fig. 5 shows a flowchart of a virus detection method according to an embodiment of the present application. Illustratively, the method may be performed by the anti-virus unit of FIG. 1 described above. As shown in fig. 5, the virus detection method includes:

s501, in the metadata of the target file, reading the history information of virus detection corresponding to the target file.

The specific description of the metadata of the target file may refer to the description related to step 201 in fig. 2.

S502, determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file.

For example, it may be determined that virus detection is not performed on the target file in a case where history information of virus detection in the metadata of the target file satisfies a preset condition; and under the condition that the historical information of virus detection corresponding to the target file does not meet the preset condition, determining to detect the virus of the target file.

The specific implementation process of this step may refer to the related description in step S202 in fig. 2, and will not be described herein.

S503, when determining that the virus detection is performed on the target file, sending a request for performing the virus detection on the target file to the target antivirus system.

The specific implementation process of this step may refer to the description related to step S203 in fig. 2, which is not described herein.

In a possible implementation manner, after the step S503 is performed, a result of virus detection on the target file fed back by the target antivirus system may also be obtained; and updating the history information of virus detection in the metadata of the target file according to the result of virus detection. For example, after the target antivirus system performs virus detection on the target file, one or more of whether the target file has virus, the time of the virus detection or configuration information of the target antivirus system may be fed back to the antivirus unit, and the antivirus unit updates history information of virus detection in metadata of the target file according to the fed back information.

Thus, through the steps S501-S503, the history information of virus detection in the metadata of the target file is read, and the history information of virus detection corresponding to the target file is rapidly obtained; considering that after a file is subjected to virus detection and no virus is confirmed, if the content of the file is not changed, the content of the file is still safe, and the virus detection can not be repeated on the file; therefore, whether the target file is subjected to virus detection is determined according to the history information of virus detection in the metadata of the target file, and the repeated virus detection on the file content subjected to the virus detection can be avoided on the premise of ensuring the data safety, so that the network bandwidth overhead is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

As one example, the history information of virus detection in the metadata of the target file includes whether the content of the target file has undergone virus detection. Whether the content of the target file has been subjected to virus detection may be read in the target file metadata, for example, whether there is a "scanned" flag in the target file metadata may be read, thereby determining whether the content of the target file has been subjected to virus detection. If the scanned mark does not exist in the metadata of the target file, and the content of the target file is not subjected to virus detection, determining to carry out virus detection on the target file, and sending a request for carrying out virus detection on the target file to a target anti-virus system. If the scanned mark exists in the metadata of the target file, the content of the target file is subjected to virus detection, and no virus exists, and it is determined that the target file is not subjected to virus detection.

As another example, taking as an example the virus detection time that the history information of virus detection in the target file metadata includes the content of the target file. The virus detection time of the content of the target file can be read from the metadata of the target file, if the interval between the virus detection time of the content of the target file and the current moment exceeds the preset time interval, the virus detection of the target file is determined, and a request for the virus detection of the target file is sent to the target anti-virus system. If the interval between the virus detection time of the content of the target file and the current moment does not exceed the preset time interval, it can be determined that the virus detection is not performed on the target file.

As another example, taking as an example that history information of virus detection in the target file metadata includes configuration information of an antivirus system that performs virus detection when the content of the target file is subjected to virus detection. The configuration information of the antivirus system for performing virus detection can be read from the metadata of the target file, if the configuration information of the antivirus system for performing virus detection is different from the configuration information of the target antivirus system, the virus detection is determined on the target file, and a request for performing virus detection on the target file is sent to the target antivirus system. If the configuration information of the antivirus system performing virus detection is the same as the configuration information of the target antivirus system, it may be determined that virus detection is not performed on the target file.

As another example, taking as an example, history information of virus detection in the target file metadata includes whether the content of the target file has undergone virus detection, the content of the target file has undergone virus detection time, and configuration information of an antivirus system that performs virus detection when the content of the target file has undergone virus detection. The configuration information of whether the target file has undergone virus detection, virus detection time and an antivirus system performing virus detection can be read from the target file metadata; for example, whether the metadata of the target file has a scanned mark, the latest time of the latest virus detection of the content of the target file, and the configuration information of an antivirus system for executing the latest virus detection can be read, and if the metadata of the target file has the scanned mark, the latest time of the latest virus detection of the content of the target file does not exceed a preset time interval from the current time interval, and the configuration information of the antivirus system for executing the latest virus detection is the same as the configuration information of the target antivirus system, it is determined that the virus detection is not performed on the target file; otherwise, determining to detect the virus of the target file, and sending a request for detecting the virus of the target file to the target anti-virus system.

The virus detection method in the embodiment of the present application is described below by taking an example that the history information of virus detection corresponding to the target file includes the history information of virus detection corresponding to the file fingerprint of the target file in the index library.

FIG. 6 shows a flow chart of a method of virus detection according to an embodiment of the present application. Illustratively, the method may be performed by the anti-virus unit of FIG. 1 described above. As shown in fig. 6, the virus detection method includes:

s601, determining a target file fingerprint of a target file;

as one example, a target file fingerprint of a target file may be read in target file metadata;

as another example, a target file fingerprint of the target file may be calculated from content in the target file. The method for calculating the fingerprint of the target file may adopt the prior art, and is not described herein; for example, a hash code may be employed to generate the target file fingerprint.

S602, according to the target file fingerprint, selecting the historical information of virus detection corresponding to the target file fingerprint from an index library.

The specific description of the index library may refer to the description related to step 201 in fig. 2.

For example, the target file fingerprint may be used as a key to query in the index library, so as to obtain the history information of virus detection corresponding to the target file fingerprint.

For example, if the index library is queried with the target file fingerprint as a key, and no history information of virus detection corresponding to the target file fingerprint is queried, an index record with the target file fingerprint as the key may be inserted into the index library, where the history information of virus detection corresponding to the target file fingerprint is set as a default value.

S603, determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file fingerprint.

For example, it may be determined that virus detection is not performed on the target file if the history information of virus detection corresponding to the fingerprint of the target file satisfies a preset condition; and under the condition that the historical information of virus detection corresponding to the fingerprint of the target file does not meet the preset condition, determining to detect the virus of the target file.

The specific implementation process of this step may refer to the description related to step S202 in fig. 2, which is not described herein.

S604, when determining that the virus detection is performed on the target file, sending a request for performing the virus detection on the target file to a target antivirus system.

In a possible implementation manner, after the step S604 is performed, a result of virus detection on the target file fed back by the target antivirus system may also be obtained; and updating the historical information of virus detection corresponding to the file fingerprint of the target file in the index library according to the result of virus detection. For example, after the target anti-virus system performs virus detection on the target file, one or more of whether the target file has virus, the time of the virus detection or configuration information of the target anti-virus system may be fed back to the anti-virus unit, and the anti-virus unit updates the history information of virus detection corresponding to the fingerprint of the target file in the index library according to the fed back information.

Thus, through the steps S601-S604, the history information of virus detection corresponding to the fingerprint of the target file is queried in the index library; considering that the target file fingerprint is associated with one or more files in the storage system, namely the content of the one or more files is identical, if any one of the one or more files is confirmed to be safe through virus detection, the content of other files can be considered to be safe, and virus detection can not be repeated on the other files; therefore, whether the target file is subjected to virus detection is determined according to the historical information of the virus detection corresponding to the fingerprint of the target file, and the repeated virus detection on the file content subjected to the virus detection can be avoided on the premise of ensuring the data safety, so that the network bandwidth overhead is saved, the virus detection time is saved, and the virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

As one example, taking as an example whether the history information of the virus detection corresponding to the target file fingerprint in the index library includes that the virus detection has been undergone; for example, the fingerprint of the target file can be used as a key to query in an index library, and whether a scanned mark exists in the history information of virus detection corresponding to the fingerprint of the target file is obtained, so as to judge whether the content of the target file is subjected to virus detection. If the history information of the virus detection corresponding to the fingerprint of the target file in the index library has no scanned mark, the content of the target file is represented to not undergo the virus detection, the virus detection on the target file is determined, and a request for the virus detection on the target file is sent to the target anti-virus system. If the history information of the virus detection corresponding to the fingerprint of the target file in the index library contains a scanned mark, which represents that the content of the target file is subjected to the virus detection and no virus exists, the target file is determined not to be subjected to the virus detection.

As an example, taking the case that the history information of virus detection corresponding to the fingerprint of the target file in the index library includes the time of virus detection as an example; for example, the target file fingerprint can be used as a key to query in an index library, so as to obtain the time of virus detection corresponding to the target file fingerprint; if the interval between the virus detection time corresponding to the fingerprint of the target file and the current moment exceeds the preset time interval, determining to detect the virus of the target file, and sending a request for detecting the virus of the target file to the target anti-virus system. If the interval between the virus detection time corresponding to the fingerprint of the target file and the current moment does not exceed the preset time interval, determining that the virus detection is not carried out on the target file.

As another example, taking as an example that the history information of virus detection corresponding to the target file fingerprint in the index library includes configuration information of an antivirus system that performs virus detection; for example, the configuration information of the antivirus system for performing virus detection corresponding to the target file fingerprint may be obtained by querying in an index library with the target file fingerprint as a key, if the configuration information of the antivirus system for performing virus detection corresponding to the target file fingerprint is different from the configuration information of the target antivirus system, the virus detection is determined for the target file, and a request for performing virus detection for the target file is sent to the target antivirus system. If the configuration information of the antivirus system for performing virus detection corresponding to the fingerprint of the target file is the same as the configuration information of the target antivirus system, it may be determined that virus detection is not performed on the target file.

As another example, taking as an example whether the history information of virus detection corresponding to the target file fingerprint in the index library includes the virus detection, the virus detection time, and the configuration information of an antivirus system that performs the virus detection; for example, the method includes the steps that a target file fingerprint is used as a key to query in an index library, and whether scanned marks exist in historical information of virus detection corresponding to the target file fingerprint, virus detection time corresponding to the target file fingerprint and configuration information of an antivirus system for executing virus detection corresponding to the target file fingerprint are obtained; if the history information of virus detection corresponding to the target file fingerprint has a scanned mark, the interval between the virus detection time corresponding to the target file fingerprint and the current moment does not exceed the preset time interval, and the configuration information of an antivirus system for executing virus detection corresponding to the target file fingerprint is the same as the configuration information of the target antivirus system, determining that virus detection is not carried out on the target file; otherwise, determining to detect the virus of the target file, and sending a request for detecting the virus of the target file to the target anti-virus system.

The virus detection method in the embodiment of the present application is described below by taking, as an example, that the history information of virus detection corresponding to the target file includes the history information of virus detection in the metadata of the target file and the history information of virus detection corresponding to the file fingerprint of the target file in the index library.

Fig. 7 shows a flowchart of a virus detection method according to an embodiment of the present application. The method may be performed by the anti-virus unit of fig. 1 described above, for example. As shown in fig. 7, the virus detection method includes:

s701, in the metadata of the target file, reading the history information of virus detection corresponding to the target file.

This step is the same as step S501 in fig. 5, and will not be described again here.

S702, determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition.

The manner of determining the fingerprint of the target file may refer to the description related to step S601 in fig. 6.

In one possible implementation manner, the target file fingerprint of the target file may also be determined if the history information of virus detection in the target file metadata meets a first preset condition. For example, the target file may not undergo virus detection for a long time, and in order to further ensure data security, the target file fingerprint of the target file may still be determined under the condition that the metadata is recorded with a "scanned" mark, so as to further determine whether to perform virus detection on the target file.

The first preset condition may refer to the related expression of the "preset condition" in step S202 of fig. 2, and will not be described herein.

As an example, the first preset condition may be that a "scanned" mark exists in the metadata of the target file, if the "scanned" mark exists in the metadata of the target file, it represents that the target file has been subjected to virus detection and no virus is confirmed, and virus detection may not be performed on the target file; if there is no "scanned" tag in the target file metadata, then the target file fingerprint is read in the target file metadata.

As another example, the first preset condition may be that the number of virus detections recorded in the metadata of the target file reaches a preset number of detections, and if the number of virus detections recorded in the metadata of the target file reaches the preset number of detections, virus detection may not be performed on the target file; if the virus detection times recorded in the target file metadata do not reach the preset detection times, the target file fingerprint can be read in the target file metadata.

As another example, the first preset condition may be that the interval between the virus detection time recorded in the metadata of the target file and the current time does not exceed a preset time interval, and if the interval between the virus detection time recorded in the metadata of the target file and the current time does not exceed the preset time interval, the virus detection may not be performed on the target file; and if the interval between the virus detection time and the current moment recorded in the target file metadata exceeds the preset time interval, reading the target file fingerprint in the target file metadata.

As another example, the first preset condition may be that the configuration information of the antivirus system performing virus detection recorded in the metadata of the target file is the same as the configuration information of the target antivirus system, and if the configuration information of the antivirus system performing virus detection recorded in the metadata of the target file is the same as the configuration information of the target antivirus system, virus detection may not be performed on the target file; and if the configuration information of the antivirus system for performing virus detection recorded in the metadata of the target file is different from the configuration information of the target antivirus system, reading the fingerprint of the target file in the metadata of the target file.

As another example, the first preset condition may be that a "scanned" flag is present in the target file metadata, an interval between a virus detection time recorded in the target file metadata and a current time is not more than a preset time interval, and configuration information of an antivirus system performing virus detection recorded in the target file metadata is the same as configuration information of the target antivirus system, and if a "scanned" flag is present in the target file metadata, an interval between a recorded virus detection time and the current time is not more than a preset time interval, and configuration information of an antivirus system performing virus detection is the same as configuration information of the target antivirus system, virus detection may not be performed on the target file; otherwise, the target file fingerprint is read in the target file metadata.

S703, according to the target file fingerprint, selecting the historical information of virus detection corresponding to the target file fingerprint from the index library.

This step is the same as step S602 in fig. 6, and will not be described here again.

S704, determining to detect the virus of the target file when the history information of the virus detection corresponding to the fingerprint of the target file does not meet the second preset condition.

The second preset condition may refer to the related expression of the "preset condition" in step S202 in fig. 2, and will not be described herein.

In one possible implementation manner, when the history information of virus detection corresponding to the fingerprint of the target file meets the second preset condition, it is determined that virus detection is not performed on the target file, and the history information of virus detection in the metadata of the target file is updated.

For example, the history information of virus detection in the metadata of the target file may be updated according to the history information of virus detection corresponding to the fingerprint of the target file. For example, if the metadata of the target file has no "scanned" mark, and the history information of virus detection corresponding to the fingerprint of the target file has "scanned" mark, the metadata of the target file may be added with the "scanned" mark. For another example, the virus detection time recorded in the metadata of the target file may be updated to the virus detection time corresponding to the fingerprint of the target file. The historical information of virus detection corresponding to the target file fingerprint meets a second preset condition, which indicates that the file content corresponding to the target file fingerprint is subjected to virus detection and has no virus, namely, the content of the target file is subjected to virus detection and has no virus, the historical information of virus detection in the metadata of the target file can be updated, so that the historical information of virus detection in the metadata of the target file is ensured to be the latest historical information of virus detection, and whether the target file needs to be subjected to virus detection or whether the target file fingerprint needs to be acquired is quickly determined through the historical information of virus detection in the metadata of the target file when a virus detection task is triggered next time.

S705, when determining that the virus detection is performed on the target file, sending a request for performing the virus detection on the target file to the target antivirus system.

In one possible implementation manner, after the step S705 is performed, a result of virus detection on the target file fed back by the target antivirus system may also be obtained; and updating the history information of virus detection in the metadata of the target file and the history information of virus detection corresponding to the file fingerprint of the target file in the index library according to the result of virus detection.

In this way, through the steps S701-S705, whether to perform virus detection on the target file is determined according to the history information of virus detection in the metadata of the target file and the history information of virus detection corresponding to the fingerprint of the target file in the index library, so that the repeated virus detection on the file content which has undergone virus detection can be avoided on the premise of ensuring the data security, thereby saving network bandwidth overhead, saving virus detection time and improving virus detection efficiency; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

As one example, the history information of the virus detection includes whether the virus detection has been experienced. For example, whether the target file metadata has a scanned mark or not can be read, if the target file metadata does not have the scanned mark, the target file fingerprint of the target file is determined, and the information of whether virus detection is performed or not corresponding to the target file fingerprint is selected from an index library; if the history information of the virus detection corresponding to the fingerprint of the target file in the index library does not have the scanned mark, determining to detect the virus of the target file, and sending a request for detecting the virus of the target file to the target anti-virus system. If the history information of the virus detection corresponding to the fingerprint of the target file in the index library has a scanned mark, which represents that the content of the target file is subjected to the virus detection and no virus exists, determining that the virus detection is not performed on the target file; further, a "scanned" flag may be added to the target file metadata.

As another example, the history information of virus detection includes virus detection time as an example. The virus detection time of the content of the target file can be read from the metadata of the target file, if the interval between the virus detection time recorded in the metadata and the current time exceeds the preset time interval, the fingerprint of the target file is determined, the virus detection time corresponding to the fingerprint of the target file is selected from the index library, if the interval between the virus detection time corresponding to the fingerprint of the target file and the current time exceeds the preset time interval, the virus detection of the target file is determined, and a request for virus detection of the target file is sent to the target anti-virus system. If the interval between the virus detection time corresponding to the fingerprint of the target file and the current moment does not exceed the preset time interval, determining that the virus detection is not performed on the target file; further, the virus detection time recorded in the metadata of the target file may be updated according to the virus detection time corresponding to the fingerprint of the target file.

As another example, the history information of virus detection includes configuration information of an antivirus system that performs virus detection. The configuration information of the antivirus system for executing virus detection can be read from the metadata of the target file, if the configuration information of the antivirus system for executing virus detection recorded in the metadata of the target file is different from the configuration information of the target antivirus system, the fingerprint of the target file is determined, the configuration information of the antivirus system for executing virus detection corresponding to the fingerprint of the target file is selected from the index library, and if the configuration information of the antivirus system for executing virus detection corresponding to the fingerprint of the target file is different from the configuration information of the antivirus system of the target file, the virus detection on the target file is determined, and a request for executing virus detection on the target file is sent to the antivirus system of the target file. If the configuration information of the anti-virus system for executing virus detection corresponding to the fingerprint of the target file is the same as the configuration information of the target anti-virus system, it can be determined that the virus detection is not performed on the target file; further, the configuration information of the antivirus system for performing virus detection recorded in the metadata of the target file may be updated according to the configuration information of the antivirus system for performing virus detection corresponding to the fingerprint of the target file.

As another example, taking as an example, history information of virus detection includes whether virus detection has been performed, virus detection time, and configuration information of an antivirus system that performs virus detection. The configuration information of whether virus detection, virus detection time and an antivirus system for performing virus detection are experienced or not can be read in the target file metadata; if the scanned mark exists in the metadata of the target file, the interval between the time of virus detection and the current moment does not exceed the preset time interval or any item of configuration information of an antivirus system for executing virus detection is not satisfied with the configuration information of the target antivirus system, determining the fingerprint of the target file, selecting information whether virus detection is carried out or not, virus detection time and configuration information of the antivirus system for executing virus detection corresponding to the fingerprint of the target file from an index library, and if the scanned mark exists in the information of the antivirus system for executing virus detection corresponding to the fingerprint of the target file, the interval between the time of corresponding virus detection and the current moment does not exceed the preset time interval or any item of configuration information of the corresponding antivirus system for executing virus detection is not satisfied with the configuration information of the target antivirus system, determining that virus detection is carried out on the target file, and sending a request for carrying out virus detection on the target file to the target antivirus system. If the scanned mark exists in the virus detection information corresponding to the fingerprint of the target file, the interval between the corresponding virus detection time and the current moment does not exceed the preset time interval, and the configuration information of the corresponding virus prevention system for executing the virus detection is the same as the configuration information of the target virus prevention system, the condition that the virus detection is not carried out on the target file can be determined; further, a "scanned" flag may be added to metadata of the target file, and the virus detection time and the configuration information of the antivirus system performing the virus detection in the metadata of the target file may be updated according to the virus detection time corresponding to the fingerprint of the target file and the configuration information of the corresponding antivirus system performing the virus detection.

Based on the same inventive concept of the above method embodiments, embodiments of the present application further provide a virus detection device, which may be used to execute the technical solutions described in the above method embodiments. For example, the steps of the methods shown in fig. 2, 5, 6, or 7 described above may be performed.

Fig. 8 is a schematic structural diagram of a virus detection device according to an embodiment of the present application. As shown in fig. 8, the apparatus includes: an obtaining module 801, configured to obtain historical information of virus detection corresponding to a target file in a storage system; wherein the history information of virus detection includes: whether at least one of virus detection, the number of times of virus detection, the time of virus detection, configuration information of an antivirus system that performs virus detection has been experienced; a determining module 802, configured to determine whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file; and the request module 803 is configured to send a request for performing virus detection on the target file to a target antivirus system when determining that virus detection is performed on the target file.

According to the embodiment of the application, the historical information of virus detection corresponding to the target file can represent the relevant information of virus detection experienced by the content of the target file; whether the target file is subjected to virus detection or not is determined according to the historical information of virus detection corresponding to the target file, and repeated virus detection on the file content subjected to virus detection can be avoided on the premise of ensuring data safety, so that network bandwidth overhead is saved, virus detection time is saved, and virus detection efficiency is improved; in addition, when triggering the online virus detection task, a user can timely open the target file, so that the read-write performance of the storage system is improved.

In a possible implementation manner, the history information of virus detection corresponding to the target file includes the history information of virus detection in the metadata of the target file, and/or the history information of virus detection corresponding to the file fingerprint of the target file in an index library; the index library comprises at least one file fingerprint and virus detection history information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection history information corresponding to the at least one file fingerprint comprises latest history information in virus detection history information corresponding to each file associated with the at least one file fingerprint.

In one possible implementation manner, the history information of virus detection corresponding to the target file includes: historical information of virus detection in the target file metadata; the obtaining module 801 is further configured to read, in the metadata of the target file, historical information of virus detection corresponding to the target file.

In one possible implementation manner, the history information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in an index library; the obtaining module 801 is further configured to: determining a target file fingerprint of the target file; and selecting historical information of virus detection corresponding to the target file fingerprint from the index library according to the target file fingerprint.

In one possible implementation manner, the history information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file and the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; the determining module 802 is further configured to: determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition; according to the target file fingerprint, selecting historical information of virus detection corresponding to the target file fingerprint from the index library; and determining to perform virus detection on the target file under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition.

In one possible implementation, the apparatus further includes: the result feedback module is used for acquiring a result of virus detection on the target file, which is fed back by the target anti-virus system; and the updating module is used for updating the history information of virus detection corresponding to the target file according to the result of virus detection.

In one possible implementation, the apparatus further includes: and the metadata updating module is used for determining that the target file is not subjected to virus detection under the condition that the history information of virus detection corresponding to the target file fingerprint meets a second preset condition, and updating the history information of virus detection in the target file metadata.

The technical effects and specific descriptions of the virus detection device shown in fig. 8 and the various possible implementations thereof can be referred to the relevant descriptions of the virus search method, and are not repeated here.

It should be understood that the above division of the modules in the virus detection device is only a division of logic functions, and may be fully or partially integrated into one physical entity or may be physically separated. Furthermore, modules in the apparatus may be implemented in the form of processor-invoked software; the device comprises, for example, a processor, which is connected to a memory, in which instructions are stored, the processor calling the instructions stored in the memory to implement any of the above methods or to implement the functions of the modules of the device, wherein the processor is, for example, a general-purpose processor, such as a central processing unit (Central Processing Unit, CPU) or microprocessor, and the memory is internal or external to the device. Alternatively, the modules in the apparatus may be implemented in the form of hardware circuitry, some or all of which may be implemented by the design of hardware circuitry, which may be understood as one or more processors; for example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC), and the functions of some or all of the above modules are implemented by the design of the logic relationships of elements within the circuit; for another example, in another implementation, the hardware circuit may be implemented by a programmable logic device (programmable logic device, PLD), for example, a field programmable gate array (Field Programmable Gate Array, FPGA), which may include a large number of logic gates, and the connection relationship between the logic gates is configured by a configuration file, so as to implement the functions of some or all of the above modules. All modules of the above device may be realized in the form of processor calling software, or in the form of hardware circuits, or in part in the form of processor calling software, and in the rest in the form of hardware circuits.

In an embodiment of the present application, the processor is a circuit with signal processing capability, and in one implementation, the processor may be a circuit with instruction reading and running capability, such as a CPU, microprocessor, graphics processor (graphics processing unit, GPU), digital signal processor (digital signal processor, DSP), neural-network processor (neural-network processing unit, NPU), tensor processor (tensor processing unit, TPU), etc.; in another implementation, the processor may perform a function through a logical relationship of hardware circuitry that is fixed or reconfigurable, e.g., a hardware circuit implemented by the processor as an ASIC or PLD, such as an FPGA. In the reconfigurable hardware circuit, the processor loads the configuration document, and the process of implementing the configuration of the hardware circuit can be understood as a process of loading instructions by the processor to implement the functions of some or all of the above modules.

It will be seen that each module in the above apparatus may be one or more processors (or processing circuits) configured to implement the methods of the above embodiments, for example: CPU, GPU, NPU, TPU, microprocessor, DSP, ASIC, FPGA, or a combination of at least two of these processor forms. In addition, all or part of the modules in the above apparatus may be integrated together or may be implemented independently, which is not limited.

As an example, the virus detection device may be provided separately, may be integrated into another device, or may be implemented by software or a combination of software and hardware. For example, the virus detection device may be an anti-virus unit of FIG. 1, which may be integrated into the storage system 10 of FIG. 1 described above.

As another example, the virus detection apparatus may also be a device or system having data processing capabilities, or a component or chip provided in such a device or system. For example, the virus detection device may be an integrated storage management platform (Integrated Storage Management, DEVICE MANAGER), a cloud server, a desktop, a laptop, a web server, a service cluster, a palm-top (personal digital assistant, PDA), a mobile phone, a tablet, a wireless terminal device, an embedded device, a medical device, or other devices with data processing functions, or components or chips within these devices.

The embodiment of the application also provides electronic equipment, which comprises: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to implement the method of the above embodiments when executing the instructions. Illustratively, the steps of the methods illustrated in fig. 2, 5, 6, or 7 described above may be performed.

Fig. 9 shows a schematic structural diagram of an electronic device according to an embodiment of the present application, as shown in fig. 9, the electronic device may include: at least one processor 901, communication lines 902, memory 903, and at least one communication interface 904.

Processor 901 may be a general purpose central processing unit, microprocessor, application specific integrated circuit, or one or more integrated circuits for controlling the execution of the programs of the present application; the processor 901 may also include a heterogeneous computing architecture of a plurality of general purpose processors, for example, a combination of at least two of a CPU, GPU, microprocessor, DSP, ASIC, FPGA; as one example, the processor 901 may be a cpu+gpu or cpu+asic or cpu+fpga.

Communication line 902 may include a pathway to transfer information between the aforementioned components.

The communication interface 904, uses any transceiver-like device for communicating with other devices or communication networks, such as ethernet, RAN, wireless local area network (wireless local area networks, WLAN), etc.

The memory 903 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc (compact disc read-only memory) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via communication line 902. The memory may also be integrated with the processor. The memory provided by embodiments of the present application may generally have non-volatility. The memory 903 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 901 to execute the instructions. The processor 901 is configured to execute computer-executable instructions stored in the memory 903, thereby implementing the methods provided in the above-described embodiments of the present application; illustratively, the steps of the methods illustrated in fig. 2, 5, 6, or 7 described above may be performed.

Alternatively, the computer-executable instructions in the embodiments of the present application may be referred to as application program codes, which are not specifically limited in the embodiments of the present application.

Illustratively, the processor 901 may include one or more CPUs, e.g., CPU0 in fig. 9; processor 901 may also include any of a CPU, and GPU, ASIC, FPGA, e.g., CPU0+ GPU0 or CPU0+ asic0 or CPU0+ FPGA0 in fig. 9.

By way of example, the electronic device may include multiple processors, such as processor 901 and processor 907 in fig. 9. Each of these processors may be a single-core (single-CPU) processor, a multi-core (multi-CPU) processor, or a heterogeneous computing architecture including a plurality of general-purpose processors. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

In a specific implementation, the electronic device may also include an output device 905 and an input device 906, as one embodiment. The output device 905 communicates with the processor 901 and may display information in a variety of ways. For example, the output device 905 may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector) or the like, and may be, for example, a vehicle-mounted HUD, AR-HUD, display or the like display device. The input device 906, in communication with the processor 901, may receive user input in a variety of ways. For example, the input device 906 may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.

Embodiments of the present application provide a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method of the above embodiments. Illustratively, the steps of the methods shown in fig. 2, 5, 6, or 7 described above may be implemented.

Embodiments of the present application provide a computer program product, for example, may include computer readable code, or a non-volatile computer readable storage medium bearing computer readable code; the computer program product, when run on a computer, causes the computer to perform the method in the above-described embodiments. Illustratively, the steps of the methods shown in fig. 2, 5, 6, or 7 described above may be implemented.

The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.

The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.

Computer program instructions for performing the operations of the present application may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present application are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information for computer readable program instructions, which may execute the computer readable program instructions.

Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The embodiments of the present application have been described above, the foregoing description is exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvements in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims

1. A method of virus detection, the method comprising:

acquiring historical information of virus detection corresponding to a target file in a storage system; wherein the history information of virus detection includes: whether at least one of virus detection, the number of times of virus detection, the time of virus detection, configuration information of an antivirus system that performs virus detection has been experienced;

determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file;

and under the condition that the virus detection is carried out on the target file, sending a request for carrying out the virus detection on the target file to a target antivirus system.

2. The method according to claim 1, wherein the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file, and/or the history information of virus detection corresponding to a file fingerprint of the target file in an index library; the index library comprises at least one file fingerprint and virus detection history information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection history information corresponding to the at least one file fingerprint comprises latest history information in virus detection history information corresponding to each file associated with the at least one file fingerprint.

3. The method according to claim 1 or 2, wherein the history information of virus detection corresponding to the target file includes: historical information of virus detection in the target file metadata;

the obtaining the history information of virus detection corresponding to the target file includes: and reading the history information of virus detection corresponding to the target file in the metadata of the target file.

4. The method according to claim 1 or 2, wherein the history information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in an index library;

the obtaining the history information of virus detection corresponding to the target file includes:

determining a target file fingerprint of the target file;

and selecting historical information of virus detection corresponding to the target file fingerprint from the index library according to the target file fingerprint.

5. A method according to claim 3, wherein the history information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file and the historical information of virus detection corresponding to the file fingerprint of the target file in the index library;

the determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file includes:

determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition;

According to the target file fingerprint, selecting historical information of virus detection corresponding to the target file fingerprint from the index library;

and determining to perform virus detection on the target file under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition.

6. The method according to any one of claims 1-5, further comprising:

obtaining a result of virus detection on the target file fed back by the target anti-virus system;

and updating the history information of virus detection corresponding to the target file according to the result of virus detection.

7. The method as recited in claim 5, wherein the method further comprises:

and under the condition that the history information of virus detection corresponding to the target file fingerprint meets a second preset condition, determining that virus detection is not carried out on the target file, and updating the history information of virus detection in the metadata of the target file.

8. A virus detection device, the device comprising: the acquisition module is used for acquiring the historical information of virus detection corresponding to the target file in the storage system; wherein the history information of virus detection includes: whether at least one of virus detection, the number of times of virus detection, the time of virus detection, configuration information of an antivirus system that performs virus detection has been experienced; the determining module is used for determining whether to perform virus detection on the target file according to the history information of virus detection corresponding to the target file; and the request module is used for sending a request for detecting viruses of the target file to the target antivirus system under the condition that the viruses of the target file are detected.

9. The apparatus of claim 8, wherein the history information of virus detection corresponding to the target file includes history information of virus detection in metadata of the target file and/or history information of virus detection corresponding to a file fingerprint of the target file in an index library; the index library comprises at least one file fingerprint and virus detection history information corresponding to the at least one file fingerprint, the at least one file fingerprint is associated with one or more files in the storage system, and the virus detection history information corresponding to the at least one file fingerprint comprises latest history information in virus detection history information corresponding to each file associated with the at least one file fingerprint.

10. The apparatus according to claim 8 or 9, wherein the history information of virus detection corresponding to the target file includes: historical information of virus detection in the target file metadata; the acquisition module is further configured to read, in the metadata of the target file, historical information of virus detection corresponding to the target file.

11. The apparatus according to claim 8 or 9, wherein the history information of virus detection corresponding to the target file includes: historical information of virus detection corresponding to the file fingerprint of the target file in an index library; the acquisition module is further configured to: determining a target file fingerprint of the target file; and selecting historical information of virus detection corresponding to the target file fingerprint from the index library according to the target file fingerprint.

12. The apparatus of claim 10, wherein the history information of virus detection corresponding to the target file includes: the historical information of virus detection in the metadata of the target file and the historical information of virus detection corresponding to the file fingerprint of the target file in the index library; the determining module is further configured to: determining a target file fingerprint of the target file under the condition that the history information of virus detection in the target file metadata does not meet a first preset condition; according to the target file fingerprint, selecting historical information of virus detection corresponding to the target file fingerprint from the index library; and determining to perform virus detection on the target file under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition.

13. The apparatus according to any one of claims 8-12, wherein the apparatus further comprises: the result feedback module is used for acquiring a result of virus detection on the target file, which is fed back by the target anti-virus system; and the updating module is used for updating the history information of virus detection corresponding to the target file according to the result of virus detection.

14. The apparatus as recited in claim 12, wherein the apparatus further comprises: and the metadata updating module is used for determining that the target file is not subjected to virus detection under the condition that the history information of virus detection corresponding to the target file fingerprint does not meet a second preset condition, and updating the history information of virus detection in the target file metadata.

15. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor is configured to implement the method of any of claims 1-7 when executing the instructions.

16. A non-transitory computer readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the method of any of claims 1-7.