TW201443683A - Apparatus and method for searching and deleting macro virus - Google Patents

Abstract

An apparatus and method for searching and deleting a macro virus are provided. The method includes steps of obtaining a data stream of a file to be inspected; determining whether a macro identifier exists in the data stream to determine whether a further search of macro virus is performed; determining whether the file is a file containing a macro virus when the macro identifier existing in the data stream is determined; and transforming the file containing the macro virus to a nontoxic file. The method is provided for only searching and deleting the macro virus written in a macro code of a computer document to improve efficiency for searching macro virus. Meanwhile, the method includes deleting the macro virus written in the computer document to preserve the original computer document and avoid losing any information.

Description

Method and device for killing macro virus

The invention relates to the technical field of data security, and in particular relates to a method and a device for detecting and killing a macro virus.

With the popularity of computers and the development of mobile internet, the era of network information has arrived. As a form of information, viruses have the characteristics of reproduction, infection and destruction, which threaten the information security of users. Computer documents, such as WORD, EXCEL and other text editing software files, are widely used by people, and the macro virus as a new virus dedicated to destroying the security of computer documents, gradually entered the people's sight. Among them, the macro virus written in the macro language mainly acts on the macro code of the computer document, which threatens the security of the computer document.

In the prior art, through the full-text search and search of computer documents, the existence of the macro virus is searched, firstly, the feature code of the macro virus is obtained, and secondly, the acquired macro virus feature code is matched with all the codes of the computer document. Until the same code segment is found, the computer file can be considered to be infected with a macro virus. At the same time, in the case that it is determined that the computer document has been infected with the macro virus, it is simply to delete the infected computer document.

The prior art full-text search for the macro virus method ignores the characteristics of the macro virus only acting on the macro code of the computer document, and the untargeted macro virus search method blindly expands the search scope, which undoubtedly greatly reduces the The search efficiency of macro viruses. At the same time, deleting infected computer files is likely to cause loss of information.

The invention provides a method and a device for killing a macro virus, and only performs macrovirus detection and killing on a macro code part of a computer document, thereby greatly improving the search efficiency of the macro virus. At the same time, the macro virus information in the infected computer file is deleted, so that the original information in the computer document is saved intact to prevent the loss of information.

The present invention provides a method for detecting and killing a macro virus, comprising: obtaining a data stream of a document to be inspected; and if there is a macro identifier in the data stream, determining whether the document to be inspected is a macro virus document, if Yes, the macro virus document is converted into a non-toxic document.

Further, before determining whether the to-be-checked document is a macro virus document, the method further includes: a preset macro virus feature set, where the macro virus feature set includes at least one macro virus feature.

Further, the determining whether the to-be-checked document is a macro-virus document comprises: determining whether the to-be-checked document includes any macro-virus feature in the macro-virus feature set.

Further, the determining whether the to-be-checked document includes any macro-virus feature in the macro-virus feature group includes: determining, in the case that the to-be-checked document includes a macro-sub-flow, determining the giant Whether the feature of any macro virus in the macro virus feature group is included in the set substream; and the feature of the macro virus is not included in the document to be checked that does not include the macro substream or the macro substream In the case of any macro virus feature in the group, determining whether the document to be checked includes a script stream, and if so, determining whether the script stream includes any macro virus feature in the macro virus feature group Or determining, in the case that the to-be-checked document includes a script stream, whether the macro-virus feature in the macro-virus feature group is included in the script stream; and the script file is not included in the to-be-checked document. Or if the script stream does not include any macro virus feature in the macro virus feature group, determining whether the to-be-checked document includes a macro substream, and if yes, determining the macro set Whether the stream includes the macro Toxicity feature set either a macro virus feature.

Further, the method further includes: determining that the to-be-checked document is a non-toxic document if there is no macro identifier in the data stream.

Further, the converting the macro virus document into a non-toxic document comprises: deleting macro information in the macro virus document, the macro information including a macro sub-flow and a script stream, and deleting a macro identifier in the macro virus document; determining the macro virus document as a non-toxic document.

The present invention also provides a device for detecting a macro virus, the device comprising: a first obtaining module, configured to acquire a data stream of the document to be inspected; and a first determining module, configured to exist in the data stream In the case of the set identifier, determining whether the to-be-checked document is a macro virus document; and converting a module, configured to convert the macro virus document into a non-toxic document when the result of the first determining module is yes .

Further, the device further includes: a preset module, configured to preset a macro virus feature set, wherein the macro virus feature set includes at least one macro virus feature.

Further, the first determining module is specifically configured to: if the macro identifier exists in the data stream, determine whether the to-be-checked document includes any macro virus in the macro virus feature group feature.

Further, the first determining module includes: a first determining submodule, configured to determine whether the macro is included in the macro substream if the to-be-checked document includes a macro substream Collecting any macro virus feature in the virus feature group; the second determining sub-module is configured to not include the macro virus feature in the document to be inspected that does not include the macro substream or the macro substream In the case of any macro virus feature in the group, it is determined whether the document to be inspected includes a script stream; and the third determining sub-module is configured to determine, when the result of the second determining sub-module is YES, Whether the script stream includes any of the macro virus signatures in the macro virus feature group; or the fourth judging submodule, configured to determine the script stream if the to-be-checked document includes a script stream Whether it includes any macro virus feature in the macro virus feature set; the fifth determining sub-module, And determining, in the case that the to-be-checked document does not include a script stream, or the script stream does not include any macro virus feature in the macro virus feature group, determining whether the to-be-checked document includes a macro set a sixth determining sub-module, configured to determine, when the result of the fifth determining sub-module is YES, whether the macro sub-stream includes any macro-virus feature in the macro-virus feature set .

Further, the device further includes: a determining module, configured to determine the to-be-checked document as a non-toxic document if there is no macro identifier in the data stream.

Further, the conversion module includes: a first deletion submodule, configured to delete macro information in the macro virus document, where the macro information includes a macro substream and a script stream; The second deletion sub-module is configured to delete the macro identifier in the macro virus document, and the determining sub-module is configured to determine the macro virus document as a non-toxic document.

The present invention firstly obtains a data stream of the document to be inspected, and secondly, determines whether there is a macro identifier in the obtained data stream, and determines whether to further search for the macro virus, and if there is a macro identifier in the data stream, determining the waiting Check if the document is a macro virus document, and finally, convert the macro virus document into a non-toxic document. The invention only performs macrovirus detection and killing on the macro code part of the computer document, and greatly improves the search efficiency of the macro virus. At the same time, the macro virus information in the infected computer file is deleted, so that the information in the original computer document is saved intact to prevent the loss of information.

Further, in the case that the macro identifier does not exist in the data stream, it may be determined that the to-be-checked document is a non-toxic document, and the present invention is improved compared with the method for determining a non-toxic document by searching the full-text to determine the virus-free code by searching the full text in the prior art. Determine the efficiency of computer files without macro viruses.

Further, the present invention first determines whether a macro substream and a script stream are included in the document to be checked, and secondly, a method for matching the virus code by the macro substream and the script stream, and determining the macro virus document and the existing Compared with the technology, the present invention is more targeted to the macro substream and/or the script stream to search for the macro virus, and also improves the efficiency of the search macro virus.

Further, the present invention transmits macro information and macros in a macro virus document. The method for identifying the deletion realizes the conversion of the macro virus document into a non-toxic document, and the invention effectively prevents the loss of the original document information compared with the prior art method for directly deleting the macro virus document.

101~103‧‧‧ Method flow steps of Figure 1.

201~203‧‧‧ Method flow steps of Figure 2

301~306‧‧‧ Method flow steps of Figure 3

401~404‧‧‧ Method flow steps in Figure 4

501~504‧‧‧ Method flow steps in Figure 5

601‧‧‧First acquisition module

602‧‧‧First judgment module

603‧‧‧Transformation Module

701‧‧‧First judgment sub-module

702‧‧‧Second judgment sub-module

703‧‧‧ third judgment sub-module

801‧‧‧ fourth judgment sub-module

802‧‧‧ fifth judgment sub-module

803‧‧‧ sixth judgment sub-module

910‧‧‧Radio Frequency (RF) Circuit

920‧‧‧ memory

930‧‧‧Input unit

931‧‧‧Touch panel

932‧‧‧ input device

940‧‧‧Display unit

941‧‧‧ display panel

950‧‧‧ sensor

960‧‧‧Optical circuit

961‧‧‧Speaker

962‧‧‧Microphone

970‧‧‧Wireless fidelity (WiFi) module

980‧‧‧ processor

990‧‧‧Power supply

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present application. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.

1 is a flow chart of a method for detecting a macro virus in an embodiment of the present invention; FIG. 2 is a flowchart of a method for converting a macro virus document into a non-toxic document according to another embodiment of the present invention; A flow chart of a method for detecting a macro virus in another embodiment of the present invention; FIG. 4 is a method for determining whether a document to be inspected includes any macro virus feature in a macro virus feature group according to another embodiment of the present invention; FIG. 5 is a flowchart of one of the methods for determining whether a document to be inspected includes any macro virus feature in a macro virus feature group according to another embodiment of the present invention; FIG. 6 is another flowchart of the present invention; FIG. 7 is a structural diagram of the first judging module 602 according to another embodiment of the present invention; FIG. 8 is a structural diagram of another embodiment of the present invention; One of the structural diagrams of the judging module 602; FIG. 9 is a schematic structural diagram of a terminal according to another embodiment of the present invention.

The technical solutions in the embodiments of the present application are clearly and completely described in the following with reference to the drawings in the embodiments of the present application. It is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts are The scope of application for protection.

The embodiments provided by the present invention are directed to the problem of information loss caused by the low search efficiency of the macro virus in the prior art and the deletion of the document directly infected with the macro virus, and it is proposed to determine the data flow by acquiring the document to be checked. Whether the macro identifier is included in the document to determine whether the macro virus is included in the document to be checked. Finally, in the case that the document to be checked includes a macro virus, the macro information is deleted by deleting the macro information in the document to be checked, thereby improving the search efficiency of the macro virus and solving the killing macro. The problem of missing document information in the virus process.

1 is a flow chart of a method for killing a macro virus according to an embodiment of the present invention. Please refer to Figure 1. The method flow of the macro virus detection and killing in this embodiment includes:

Step 101: Acquire a data stream of the document to be inspected. In this embodiment, before the macrovirus is checked for the document to be inspected, the document to be inspected is first parsed into a form of the data stream. The data stream is a structure for storing the original data in the document to be inspected.

Step 102: If there is a macro identifier in the data stream, determine whether the to-be-checked document is a macro virus document, and if yes, proceed to step 103. If no, the process ends. In this embodiment, it is first determined whether there is a macro identifier in the acquired data stream, and if yes, proceed to determine whether the to-be-checked document is a macro virus document, wherein, in the case that the to-be-checked document is a macro virus document, Go to step 103. If the macro identifier does not exist in the data stream, the document to be inspected is a non-toxic document, that is, the macro identifier does not exist in the document to be inspected, that is, there is no macro virus in the document to be inspected. The macro identifier is used to identify whether there is an executable macro code in the document to be checked, that is, if there is no macro identifier in the document to be checked, there is no executable macro code in the document to be checked. Since the macro virus is also written by the macro code, it can be understood that there is no executable macro virus in the document to be inspected without the macro identifier, and for the non-executable macro virus, There is no damaging effect on the documentation.

Step 103: Convert the macro virus document into a non-toxic document. In this embodiment, after determining that the to-be-checked document is a macro virus document, the macro virus document is converted into a non-toxic document. among them, A macro virus document represents a document that infects a macro virus, and a non-toxic document represents a document that is not infected with a macro virus.

2 is a flow chart of a method for converting a macro virus document into a non-toxic document according to another embodiment of the present invention. Refer to Figure 2. The method for converting a macro virus document into a non-toxic document in this embodiment includes: Step 201: deleting macro information in the macro virus document, where the macro information includes a macro sub-flow and a script stream. In this embodiment, after the to-be-checked document is determined to be a macro virus document, the macro information in the macro virus document is deleted, and the macro information includes a macro sub-flow and a script stream. The macro substream can be obtained through a subflow attribute directory in the data stream, wherein the substream attribute directory is used to store attributes of each substream included in the data stream, and the macro substream has a specific attribute, which can be based on the macro The attributes of the subflow query the substream attribute directory for the existence of a macro subflow in the data stream. It is worth noting that the data stream includes a macro subflow, and the script stream can be obtained by the name of the script stream.

In actual operation, it is determined whether the macro sub-flow and the \ or script stream are included in the macro virus document, and if it exists, it is deleted. Specifically, it may first determine whether the macro sub-flow is included in the macro virus document, and if yes, delete the macro sub-stream, and secondly, determine whether the script stream is included in the macro virus document, and if so, delete the script stream; Alternatively, it is first determined whether the script stream exists, secondly, whether the macro substream exists, and deleting the macro substream and the script stream; and simultaneously determining whether the macro subflow and the script stream exist in the to-be-checked document, if Exist, delete the existing macro subflow and \ or script stream. It is worth noting that the order of judging the macro subflow and the script stream is not limited, and the judging process of the macro subflow and the script stream does not affect each other.

The method of FIG. 2 further includes the step 202 of deleting the macro identifier in the macro virus document. In this embodiment, after the to-be-checked document is determined to be a macro virus document, the macro identifier in the macro virus document is deleted. In the case where it is determined that the document to be inspected is a macro virus document, the macro identifier is deleted to remove the execution condition of the macro virus code. It should be noted that the order of execution of steps 201 and 202 is not limited, and steps 201 and 202 may be performed simultaneously.

The method of FIG. 2 further includes step 203: determining the macro virus document as none Poison document. In this embodiment, the macro virus file that deletes the macro information and the macro identifier is determined to be a non-toxic file, and it can be understood that after the macro information and the macro identifier in the to-be-checked file of the infected macro virus are deleted, The macro virus in the pending document of the infected macro virus has been killed, that is, the macro virus does not exist in the document to be checked at this time, and can be executed normally.

In this embodiment, the data stream of the document to be inspected is first obtained, and secondly, whether the macro virus identifier exists in the data stream obtained by determining whether the macro virus is further searched, and if there is a macro identifier in the data stream, the judging is performed. Whether the document to be checked is a macro virus document, and finally, the macro virus document is converted into a non-toxic document. The invention only performs macrovirus detection and killing on the macro code part of the computer document, and greatly improves the search efficiency of the macro virus. At the same time, the macro virus information in the infected computer file is deleted, so that the information in the original computer document is saved intact to prevent the loss of information.

Further, in the case that the macro identifier does not exist in the data stream, it may be determined that the to-be-checked document is a non-toxic document, and the present invention is improved compared with the method for determining a non-toxic document by searching the full-text to determine the virus-free code by searching the full text in the prior art. Determine the efficiency of computer files without macro viruses.

FIG. 3 is a flowchart of a method for killing a macro virus according to another embodiment of the present invention. Refer to Figure 3. The method flow of the macro virus detection and killing provided by this embodiment includes:

Step 301: Predetermine a macro virus feature set, where the macro virus feature set includes at least one macro virus feature. In this embodiment, the macro virus feature set is preset, wherein the macro virus feature set includes at least one macro virus feature, and the macro virus feature indicates that the macro virus is different from other types of viruses, and the macro virus type is also More, different types of macro viruses have different characteristics. That is to say, one type of macro virus can be determined according to the characteristics of the macro virus.

Step 302: Obtain a data stream of the document to be inspected. Step 302 in this embodiment is the same as step 101 in the first embodiment, and details are not described herein again.

Step 303: Determine whether there is a macro identifier in the data stream. If not, proceed to step 304. If yes, proceed to step 305. In this embodiment, first determining that the acquired data stream is If the macro flag is included, if yes, go to step 304, otherwise, go to step 305. The manner of querying the macro identifier is not limited by this embodiment. In general, the macro identifier is located at the front of the document to be inquired. Therefore, the query macro identifier generally only needs to be traversed to the front of the document to be inspected, and does not need to traverse the full text method as in the prior art.

Step 304: Determine the to-be-checked document as a non-toxic document. In this embodiment, if the macro identifier does not exist in the acquired data stream, the to-be-checked document may be determined as a non-toxic document. It can be understood that if there is no macro identifier in the document to be checked, it proves that there is no macro virus in the document to be inspected, and in fact there is no executable macro virus that is destructive to the document.

Step 305: Determine whether the document to be inspected includes any macro virus feature in the macro virus feature group, and if yes, proceed to step 306. If no, the process ends. In this embodiment, after determining that the macro identifier is included in the to-be-checked document, it is determined whether the to-be-checked document includes any macro virus signature in the macro virus signature group, and if yes, proceed to step 306.

Step 306: Convert the macro virus document into a non-toxic document. Step 306 in this embodiment is the same as step 103 in the first embodiment, and details are not described herein again.

4 is a flow chart of one of methods for determining whether a document to be inspected includes any macro virus feature in a macro virus feature set according to another embodiment of the present invention. Please refer to Figure 4. The method for determining whether the document to be checked includes any macro virus feature in the macro virus feature group in the embodiment includes:

Step 401: Determine whether the document to be checked includes a macro substream, if yes, proceed to step 402, and if no, proceed to step 403. In this embodiment, when the to-be-checked document includes the macro substream, the process proceeds to step 402; otherwise, if the macro substream is not included in the to-be-checked document, the process proceeds to step 403. In actual operation, the data stream includes a macro substream, and a directory containing the attributes of each substream exists in the data stream. Since the macro substream has a specific attribute, the document to be inquired can be queried by querying the attribute directory in the data stream. Whether the macro substream is included. Specifically, the process of how to query whether a macro substream is included in the to-be-checked document is not limited by this embodiment.

Step 402: Determine whether any one of the macro virus feature groups is included in the macro current stream The macro virus feature, if no, proceeds to step 403. In this embodiment, if the macro substream is included in the to-be-checked document, it is determined whether any macro virus feature in the macro virus feature group is included in the macro substream, wherein the macro virus feature may include a specific one. The macro virus code. If any of the macro virus features in the macro virus feature set is included in the macro substream, then step 306 is entered, otherwise, step 403 is entered.

Step 403: Determine whether the document to be checked includes a script stream, and if yes, proceed to step 404. In this embodiment, if the to-be-checked document does not include the macro substream or the macro substream does not include any macro virus feature in the macro virus feature group, determining whether the to-be-checked document includes the script stream, If yes, go to step 306, if no, prove that the document to be checked is a non-toxic document. In practice, the script stream has a specific name, such as _VBA_PROJECT_CUR, and the query script stream name can be used to determine whether the document to be checked includes a script stream. Specifically, the process of querying whether the script stream is included in the to-be-checked document is not limited by the embodiment.

Step 404: Determine whether the script stream includes any macro virus feature in the macro virus feature set. In this embodiment, if the script stream is included in the document to be checked, it is determined whether the macro virus feature in the macro virus feature group is included in the script stream. If yes, the process proceeds to step 306; otherwise, the process is confirmed. Check the document for a non-toxic document. In actual operation, the code in the script stream is matched with the macro virus feature in the macro virus feature group. If there is any macro virus feature in the script stream, the to-be-checked document is a macro virus document. Otherwise, the document to be checked is a non-toxic document.

FIG. 5 is a flowchart of one of methods for determining whether a document to be inspected includes any macro virus feature in a macro virus feature set according to another embodiment of the present invention. Please refer to Figure 5. The method for determining whether the document to be checked includes any macro virus feature in the macro virus feature group in the embodiment includes:

Step 501: Determine whether the document to be checked includes a script stream. If yes, go to step 502. If no, go to step 503.

Step 502: Determine whether the script stream includes any one of the macro virus feature groups. Set the virus feature, if not, proceed to step 503, if the script stream includes any macro virus feature in the macro virus feature group, proceed to step 306;

Step 503: Determine whether the document to be checked includes a macro substream, if yes, proceed to step 504, and if no, end the process;

Step 504: Determine whether the macro substream includes any macro virus feature in the macro virus feature set. The method for determining whether the document to be checked includes any macro virus feature in the macro virus feature group is different from the method of FIG. 4 only in determining whether the document to be inquired includes a script stream or whether the document to be checked includes a macro. Subflow. Therefore, the specific steps are similar to the description of the steps in FIG. 4, and details are not described herein again.

In this embodiment, the macro virus feature set is preset, including at least one macro virus feature, and secondly, by determining whether there is a macro identifier in the obtained data stream, determining whether to further search for the macro virus, there is a huge in the data flow. In the case of the set identifier, determining whether the to-be-checked document includes a macro sub-flow and a script stream, and further determining whether the macro sub-flow and the script stream include any macro-virus feature in the macro-virus feature group, thereby determining The document to be checked is a macro virus document or a non-toxic document. Compared with the prior art, the method for matching the virus code for the macro substream and the script stream is more targeted in this embodiment, and the efficiency of searching for the macro virus is improved.

The present invention further provides an embodiment, which is described from the perspective of a macro virus killing device, and the device for killing the macro virus may be integrated into the user end. The user terminal can be loaded in the terminal, and the terminal can be a smart phone, a tablet computer, an e-book reader, a MP3 (Moving Picture Experts Group Audio Layer III) player, and an MP4 (Moving). Picture Experts Group Audio Layer IV, motion imaging experts compress standard audio layers 3) players, laptops, laptops and desktops.

FIG. 6 is a structural diagram of a device for killing a macro virus according to another embodiment of the present invention. Please refer to Figure 6. The device structure of the macro virus detection and killing provided in this embodiment includes: a first obtaining module 601, configured to acquire a data stream of the document to be inspected; and a first determining module 602, configured to In the case that there is a macro identifier in the data stream, it is determined whether the to-be-checked document is a macro virus document; and the conversion module 603 is configured to convert the macro virus document when the result of the first determining module 602 is YES. Become a non-toxic document. The first determining module 602 is specifically configured to: if the macro identifier exists in the data stream, determine whether the to-be-checked document includes any macro virus feature in the macro virus feature set.

FIG. 7 is a structural diagram of the first determining module 602 according to another embodiment of the present invention. Please refer to Figure 7. The first determining module 602 may specifically include: a first determining sub-module 701, configured to determine, in the case where the to-be-checked document includes a macro substream, whether the macro substream includes the a macro virus signature of the macro virus signature group; the second judging submodule 702, configured to not include the macro in the to-be-checked document that does not include the macro substream or the macro substream In the case of any macro virus feature in the virus feature group, determining whether the to-be-checked document includes a script stream; and the third determining sub-module 703, the result of the second determining sub-module being And determining whether the script stream includes any macro virus feature in the macro virus feature set.

FIG. 8 is a structural diagram of the first determining module 602 according to another embodiment of the present invention. Please refer to Figure 8. The structure of the foregoing first determining module 602 may specifically include: a fourth determining sub-module 801, configured to determine whether the macro virus feature is included in the script stream if the to-be-checked document includes a script stream Any macro virus feature in the group; the fifth determining sub-module 802, configured to not include any one of the macro virus feature groups in the document to be inspected that does not include a script stream or the script stream In the case of collecting virus signatures, it is determined whether the to-be-checked document includes a macro substream. The sixth determining submodule 803 is configured to determine, when the result of the fifth determining submodule is YES, whether the macro substream includes any macro virus feature in the macro virus feature set.

In addition, the foregoing conversion module 603 may include: a first deletion sub-module, configured to delete macro information in the macro virus document, where the macro information includes a macro sub-flow and a script flow; Second deleting the sub-module, used to delete the macro identifier in the macro virus document; a stator module for determining the macro virus document as a non-toxic document.

In addition, the foregoing apparatus may further include: a preset module, configured to preset a macro virus feature set, the macro virus feature set includes at least one macro virus feature; and a determining module, configured to be in the data flow In the case where there is no macro identifier, the to-be-checked document is determined to be a non-toxic document.

Another embodiment of the present invention further provides a terminal. As shown in FIG. 9 , for the convenience of description, only parts related to the embodiment of the present invention are shown. If the specific technical details are not disclosed, please refer to the method of the embodiment of the present invention. section. The terminal may include any terminal device such as a mobile phone, a tablet computer, a PDA (Personal Digital Assistant), a POS (Point of Sales), and a car computer. The embodiment of FIG. 9 uses the terminal as a mobile phone as an illustrative example.

Figure 9 is a block diagram showing a portion of the structure of a handset associated with a terminal provided by another embodiment of the present invention. Please refer to Figure 9. The mobile phone includes: a radio frequency (RF) circuit 910, a memory 920, an input unit 930, a display unit 940, a sensor 950, an audio circuit 960, a wireless fidelity (WiFi) module 970, and processing. Device 980, and components such as power supply 990. It will be understood by those skilled in the art that the structure of the handset shown in FIG. 9 does not constitute a limitation to the handset, and may include more or less components than those illustrated, or some components may be combined, or different components may be arranged. The components of the mobile phone will be specifically described below with reference to FIG.

The RF circuit 910 can be used for transmitting and receiving information or during a call. For receiving and transmitting signals, in particular, after receiving the downlink information of the base station, the processor 980 processes the data. In addition, the uplink data is sent to the base station. Generally, RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 910 can also communicate with the network and other devices via wireless communication. The above wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), universal points. General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE) , email, Short Messaging Service (SMS), etc.

The memory 920 can be used to store software programs and modules. The processor 980 executes various software applications and data processing of the mobile phone by running software programs and modules stored in the memory 920. The memory 920 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.); and the storage data area may be Stores data created based on the use of the phone (such as audio data, phone book, etc.). In addition, memory 920 can include high speed random access memory, and can also include non-volatile memory, such as at least one disk memory component, flash memory component, or other volatile solid state memory component.

The input unit 930 can be configured to receive input digit or character information and to generate key signal inputs related to user settings and function control of the handset 900. Specifically, the input unit 930 may include a touch panel 931 and other input devices 932. The touch panel 931, also referred to as a touch screen, can collect touch operations on or near the user (such as a user using a finger, a stylus, or the like on the touch panel 931 or on the touch panel. Operation near 931), and drive the corresponding connection device according to a preset program. Optionally, the touch panel 931 can include two parts: a touch detection device and a touch controller. Wherein, the touch detection device detects the touch orientation of the user, detects a signal brought by the touch operation, and transmits a signal to the touch controller; the touch controller receives the touch information from the touch detection device and converts it into a contact coordinate, The processor 980 is again sent and can receive commands from the processor 980 and execute them. In addition, the touch panel 931 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch panel 931, the input unit 930 may also include other input devices 932. Specifically, other input devices 932 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control buttons, switch buttons, etc.), trackballs, mice, joysticks, and the like.

The display unit 940 can be used to display information input by the user or information provided to the user and various function tables of the mobile phone. The display unit 940 can include a display panel 941. Alternatively, the display panel 941 can be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 931 can cover the display panel 941. When the touch panel 931 detects a touch operation on or near the touch panel 931, the touch panel 931 transmits to the processor 980 to determine the type of the touch event, and then the processor 980 according to the touch event. The type provides a corresponding visual output on display panel 941. Although the touch panel 931 and the display panel 941 are used as two independent components to implement the input and input functions of the mobile phone in FIG. 9, in some embodiments, the touch panel 931 and the display panel 941 may be integrated. Realize the input and output functions of the phone.

The handset 900 can also include at least one sensor 950, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 941 according to the brightness of the ambient light, and the proximity sensor may move to the mobile phone to When the ear is closed, the display panel 941 and/or the backlight are turned off. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is still, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen). Switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. The detector will not be described here.

The audio circuit 960, the speaker 961, and the microphone 962 can provide an audio interface between the user and the mobile phone. The audio circuit 960 can transmit the received electrical signal converted to the audio data to the speaker 961, and is converted into a sound signal output by the speaker 961. On the other hand, the microphone 962 converts the collected sound signal into an electrical signal, and the audio circuit 960 is used by the audio circuit 960. After receiving, the data is converted into audio data, and then processed by the audio data output processor 980, sent to the mobile phone 910 via the RF circuit 910, or output to the memory 920 for further processing.

WiFi is a short-range wireless transmission technology, and the mobile phone can be accessed through the WiFi module 970. To illustrate the user's ability to send and receive email, browse web pages, and access streaming media, it provides users with wireless broadband Internet access. Although FIG. 9 shows the WiFi module 970, it can be understood that it does not belong to the essential configuration of the mobile phone 900, and may be omitted as needed within the scope of not changing the essence of the invention.

The processor 980 is a control center of the mobile phone, and connects various parts of the entire mobile phone by using various interfaces and lines, by running or executing software programs and/or modules stored in the memory 920, and calling data stored in the memory 920. The mobile phone's various functions and processing data are implemented to monitor the mobile phone as a whole. Optionally, the processor 980 may include one or more processing units; preferably, the processor 980 may integrate an application processor and a modem processor, where the application processor mainly processes the operating system, the user interface, and the application. Etc. The modem processor primarily handles wireless communications. It will be appreciated that the above described modem processor may also not be integrated into the processor 980.

The mobile phone 900 also includes a power source 990 (such as a battery) for powering various components. Preferably, the power source can be logically coupled to the processor 980 through a power management system to manage functions such as charging, discharging, and power management through the power management system.

Although not shown, the mobile phone 900 may further include a camera, a Bluetooth module, and the like, and details are not described herein. Specifically, in this embodiment, the processor 980 in the terminal loads the executable file corresponding to the process of one or more application programs into the memory 920 according to the following instruction, and runs the storage by the processor 980. An application in the memory 920, thereby implementing various functions: obtaining a data stream of the document to be inspected; and if there is a macro identifier in the data stream, determining whether the document to be inspected is a macro virus document, if Yes, the macro virus document is converted into a non-toxic document.

Further, before determining whether the to-be-checked document is a macro virus document, the method further includes: a preset macro virus feature set, where the macro virus feature set includes at least one macro virus feature.

Further, the determining whether the to-be-checked document is a macro virus document, the package And including: determining whether the document to be inspected includes any macro virus feature in the macro virus feature set.

Further, the determining whether the to-be-checked document includes any macro-virus feature in the macro-virus feature group includes: determining, in the case that the to-be-checked document includes a macro-sub-flow, determining the giant Whether the feature of any macro virus in the macro virus feature group is included in the set substream; and the feature of the macro virus is not included in the document to be checked that does not include the macro substream or the macro substream In the case of any macro virus feature in the group, determining whether the document to be checked includes a script stream, and if so, determining whether the script stream includes any macro virus feature in the macro virus feature group Or determining, in the case that the to-be-checked document includes a script stream, whether the macro-virus feature in the macro-virus feature group is included in the script stream; and the script file is not included in the to-be-checked document. Or if the script stream does not include any macro virus feature in the macro virus feature group, determining whether the to-be-checked document includes a macro substream, and if yes, determining the macro set Whether the stream includes the macro Toxicity characteristics of any group wherein a macro virus.

Further, the method further includes: determining that the to-be-checked document is a non-toxic document if there is no macro identifier in the data stream.

Further, the converting the macro virus document into a non-toxic document comprises: deleting macro information in the macro virus document, the macro information including a macro sub-flow and a script stream, and deleting a macro identifier in the macro virus document; determining the macro virus document as a non-toxic document.

In this embodiment, after obtaining the data stream of the document to be inspected, determining whether there is a macro identifier in the obtained data stream, determining whether to further search for the macro virus, and if there is a macro identifier in the data stream, determining the Whether the document to be checked is a macro virus document, and when it is determined that the document to be checked is a macro virus document, the macro virus document is converted into a non-toxic document. In this embodiment, the macro virus is only checked and killed for the macro code part of the computer document, and the search efficiency of the macro virus is greatly improved. At the same time, the macro virus information in the infected computer file is deleted, so that the original electricity The information in the brain document is kept intact to prevent loss of information.

Further, in the case that the macro identifier does not exist in the data stream, it may be determined that the to-be-checked document is a non-toxic document, and the present invention is improved compared with the method for determining a non-toxic document by searching the full-text to determine the virus-free code by searching the full text in the prior art. Determine the efficiency of computer files without macro viruses.

Further, the present invention first determines whether a macro substream and a script stream are included in the document to be checked, and secondly, a method for matching the virus code by the macro substream and the script stream, and determining the macro virus document and the existing Compared with the technology, the present invention is more targeted to the macro substream and/or the script stream to search for the macro virus, and also improves the efficiency of the search macro virus.

Further, the present invention realizes the conversion of the macro virus document into a non-toxic document by deleting the macro information and the macro identifier in the macro virus document, compared with the prior art method for directly deleting the macro virus document. The invention effectively prevents the loss of the original document information.

It should be noted that the various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the system or device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the method part.

For the device embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment. The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without any creative effort.

It should be noted that, in this context, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and not necessarily It is required or implied that there is any such actual relationship or order between these entities or operations. Furthermore, the term "comprises" or "comprises" or "comprises" or any other variations thereof is intended to encompass a non-exclusive inclusion, such that a process, method, article, or device that comprises a plurality of elements includes not only those elements but also Other elements, or elements that are inherent to such a process, method, item, or device. An element that is defined by the phrase "comprising a ..." does not exclude the presence of additional equivalent elements in the process, method, item, or device that comprises the element.

The method and apparatus for detecting and killing a macro virus provided by the embodiments of the present invention are described in detail. The principles and implementation manners of the present invention are described in the following. The description of the above embodiments is only used to help understanding. The method of the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation manner and the scope of application. It is understood to be a limitation of the invention.

101~103‧‧‧ Method flow steps of Figure 1.

Claims (12)

A method for detecting a macro virus includes: acquiring a data stream of a document to be inspected; and determining whether the document to be inspected is a macro virus document if a macro identifier exists in the data stream; Yes, the macro virus document is converted into a non-toxic document. The method for detecting a macro virus according to the first aspect of the patent application, wherein determining whether the document to be inspected is the macro virus document further comprises: presetting a macro virus characteristic group, wherein the macro virus The feature set includes at least one macro virus signature. The method for detecting a macro virus as described in claim 2, wherein determining whether the document to be inspected is the macro virus file comprises: determining whether the document to be inspected includes any of the macro virus feature groups One of the macro virus features. The method for detecting a macro virus as described in claim 3, wherein determining whether the document to be inspected includes any of the macro virus features in the macro virus feature group comprises: including, in the document to be inspected In the case of a macro substream, it is determined whether a macro virus signature is included in the macro current stream, and the macro virus stream or the macro is not included in the to-be-checked document. If the sub-flow does not include any of the macro virus features in the macro virus feature group, determine whether the to-be-checked document includes a script stream, and if yes, determine whether the script stream includes the macro virus feature. Any of the macro virus features in the group; or, if the document to be checked includes a script stream, determining whether the macro virus feature of the macro virus feature group is included in the script stream; If the document to be inspected does not include the script stream or the script stream does not include any of the macro virus signatures in the macro virus feature group, determine whether the to-be-checked document includes the macro substream, and if If yes, it is determined whether the macro substream includes any of the macro virus features in the macro virus feature set. The method for detecting a macro virus according to the first aspect of the patent application, further comprising: determining, in the case where the macro identifier does not exist in the data stream, determining the to-be-checked document as the non-toxic document. The method for detecting a macro virus according to claim 1, wherein the macro virus document is converted into the non-toxic document, including: deleting a macro information in the macro virus document, the macro information Include a macro substream and/or a script stream, and delete the macro identifier in the macro virus document; and determine the macro virus document as the non-toxic document. An apparatus for detecting and killing a macro virus includes: a first acquiring module, configured to acquire a data stream of a document to be inspected; and a first determining module, configured to have a macro identifier in the data stream In the case, it is determined whether the document to be inspected is a macro virus document; and a conversion module is configured to convert the macro virus document into a non-toxic document when a result of the first determining module is YES. The device for detecting a macro virus according to the seventh aspect of the patent application, further comprising: a preset module, configured to preset a macro virus feature set, wherein the macro virus feature group includes at least one macro virus feature. The apparatus for detecting a macro virus according to the eighth aspect of the patent application, wherein the first determining module is specifically configured to: if the macro identifier exists in the data stream, determine whether the to-be-checked document includes Any of the macro virus signatures in the macrovirus signature set. The device for detecting a macro virus according to claim 9 , wherein the first determining module comprises: a first determining submodule, wherein the document to be checked includes a macro substream And determining, in a macro current stream, whether the macro virus feature is included in the macro virus feature group; and a second determining submodule, configured to not include the macro current stream in the to-be-checked document or If the macro-sub-stream does not include any of the macro-virus features in the macro-virus feature group, determining whether the to-be-checked document includes a script stream; and a third determining sub-module for When a result of the second determining sub-module is YES, determining whether the script stream includes any macro virus feature in the macro virus feature group; or a fourth determining sub-module for checking If the document includes the script stream, determining whether the macro virus feature is included in the macro virus feature group in the script stream; and a fifth determining sub-module for not including the document in the to-be-checked document The script stream or the script stream does not include the macro virus signature group In the case of any of the macro virus features, determining whether the document to be inspected includes the macro substream; and a sixth judging module for using a result of the fifth judging submodule And determining whether the macro substream includes any of the macro virus features in the macro virus feature set. The device for detecting a macro virus according to the seventh aspect of the patent application, further comprising: a determining module, configured to determine the document to be checked as if the macro identifier does not exist in the data stream This non-toxic document. The apparatus for detecting a macro virus according to the seventh aspect of the patent application, wherein the conversion module comprises: a first deletion sub-module, configured to delete a macro information in the macro virus document, the giant The set information includes a macro substream and/or a script stream; a second delete submodule for deleting the macro identifier in the macro virus document; and a determining submodule for the giant The set virus document is determined to be the non-toxic document.