TWI510957B - Method for protecting document files in real time and apparatus thereof - Google Patents

Description

Method and device for instant protection of file file

The present invention relates to the field of computer technology, and in particular to a method and apparatus for instant protection of a file file.

In the face of the rapid development of computer technology, the use of computers has been fully integrated into every corner of life, and people's quality of life has been greatly improved with the popularity of computers. The so-called advantages will have disadvantages. The computer brings convenience to human life, and it also brings opportunities for the black industry chain. The Trojan virus has developed rapidly in this black industrial chain, and has also entered the computer used by people. And this result leads to a lot of risk of user property loss and other privacy being sneaked. Black industry chain refers to the industrial chain formed by Internet hackers using viruses or Trojans to invade users' computers by stealing QQ, game accounts, and using extortion to obtain economic benefits.

In order to prevent the Trojan virus from causing damage to users, security software has also been greatly developed in this huge risk. In order to protect the computer users in all aspects, the security software has only been manually clicked by the user to manually kill the virus, and it has been developed for a period of time to kill the poison. However, this is not enough instant, and it has developed into the immediate protection of today's file files; the instant protection of file files means that as long as there is a file file operation, the Trojan virus intrusion can be monitored immediately. As a result, the speed at which security software finds risk is greatly improved.

File file instant protection technology is indeed a weapon to kill Trojan virus, but it is also two-sided. Users use computers not only for security, but also for a smooth user experience and a smooth computer environment. It is conceivable that security will also lose color and lose meaning when the computer is not smooth. At present, the file file real-time protection technology has a relatively large impact on the fluency of the computer system. Because the resources of the computer system are limited, and the file file operation event has a large amount and is uncontrollable, it is easy to cause impact on the user experience, and let the user Feel the problem of slow system response. This is also the biggest drawback of the user experience after the advancement of security software, affecting the fluency of the computer.

Therefore, how to ensure the safe use of the computer, and to reduce the fluency of the security software to the computer system and the user experience, has become the key to the advantages and disadvantages of the file file instant protection, and is also the key point for the comparison and superiority of each security software. one.

The embodiment of the invention provides a method and device for real-time protection of a file file, which is used for providing a file file instant protection solution, which is used for ensuring the safe use of the computer, and can improve the security software (for example, anti-virus software) to the computer system. The impact of fluency and user experience characteristics.

An embodiment of the present invention provides a method for file file instant protection, which includes the following steps: determining a current environmental security degree of a computer system during a file file immediate protection process; and selecting a monitoring mode corresponding to the current environment security degree The computer system The file file is protected immediately; the higher the current environmental security, the lower the protection level of the monitoring mode. The lower the current environmental security, the higher the protection level of the monitoring mode.

Another embodiment of the present invention provides an apparatus for real-time protection of a file archive, including a security determination unit, a mode selection unit, and a protection processing unit.

The security determining unit is configured to determine a current environmental security degree of the computer system during the process of protecting the file file in the protection processing unit; the mode selecting unit is configured to select a monitoring mode corresponding to the current environmental security degree; current environmental security degree The higher the monitoring mode is, the lower the protection level is. The lower the current environmental security is, the higher the monitoring mode protection level is. The protection processing unit is used to perform file file protection on the computer system using the monitoring mode selected by the mode selection unit.

It can be seen from the above technical solutions that the embodiment of the present invention has the following advantages: dividing the computer system environment into different environmental security degrees, and multiple monitoring modes matching different environmental security degrees, ensuring safe use of the computer, and improving the security software to the computer. The fluency of the system and the impact of user experience characteristics.

101, 102‧ ‧ steps

201~207‧‧‧Steps

301~304‧‧‧Steps

401~406‧‧‧Steps

501~503‧‧‧Steps

610‧‧‧RF circuit

620‧‧‧ memory

630‧‧‧ input unit

631‧‧‧Touch panel

632‧‧‧Other input devices

640‧‧‧ display unit

641‧‧‧ display panel

650‧‧‧ sensor

660‧‧‧Audio circuit

661‧‧‧Speaker

662‧‧‧Microphone

670‧‧‧Wireless Fidelity Module

680‧‧‧ processor

690‧‧‧Power supply

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention. Other drawings may also be obtained from those of ordinary skill in the art to which the invention pertains.

1 is a schematic flow chart of a method according to an embodiment of the present invention; 2 is a schematic flowchart of a method according to another embodiment of the present invention; FIG. 3 is a schematic flowchart of a method according to still another embodiment of the present invention; FIG. 4 is a schematic flowchart of a method according to still another embodiment of the present invention; BRIEF DESCRIPTION OF THE DRAWINGS FIG. 6 is a schematic structural view of another device according to an embodiment of the present invention.

The present invention will be further described in detail with reference to the accompanying drawings, in which .

Basically, there are two main types of file file instant protection solutions: one is based on user machine security and the other is based on user machine performance.

The machine security scheme generally monitors specific file file operation events, then scans and disinfects the monitored events, and performs synchronous interception on all operations such as file operations, so that no risk is completely eliminated. Possibly, it is highly secure but requires a lot of computer system resources.

The program of the machine performance generally monitors a specific file file operation event, and then scans only a part of the file, and the file operation and the like are asynchronous scans, which can reduce the occupation of computer system resources. The machine performance is only for monitoring a part of a special risk catalog for operations such as file writing, and the scanning amount is small, but the security is low.

In the above two types of schemes, the machine security scheme monitors a large number of system events and generates a large amount of scanning overhead, which causes the computer system to run slowly, the user experience is not smooth, and the effect is poor. A program that focuses on machine performance, only monitors file file operations for specific rules, and scans Small, the impact on the performance of the computer system is small, but because only the files of a specific rule are scanned, operations that are not within this rule cannot be found. Some Trojan virus intrusions will exploit this monitoring vulnerability, posing a security risk.

In general, the shortcoming is that it is difficult to balance performance and safety in the prior art, and it can not achieve a good performance experience, smooth operation, and good security capabilities, without reducing the security for users, bringing risk.

An embodiment of the present invention provides a method for file file instant protection, as shown in FIG. 1, comprising the following steps:

101: In the process of real-time protection of file files, determine the current environmental security of the computer system; from the current computer environment and the statistics of the whole year, the possibility of malware risk on the computer is roughly a few percent. . That is to say, most of the user's computer environment is safe and risk-free, and most of the time users have no security risks. In other words, the user's machine does not actually need to use all the scans at all times to ensure security. As long as the risk is fully intercepted when the key triggers the risk. In most cases, only a light scan is required to solve the problem without creating a security risk. Therefore, this step determines whether the current environmental security of the computer system can determine whether the current computer system is in a safe state.

102: Select a monitoring mode corresponding to the current environmental security degree to perform file file protection on the computer system immediately; the higher the current environmental security degree, the lower the protection mode of the monitoring mode, and the lower the current environmental security degree, the higher the protection mode of the monitoring mode.

When the monitoring mode has a low level of protection, it can be called a sentinel strategy, according to the computer. The risk level of the environment is divided to monitor the sentinel. When the computer system environment is clean and there is no risk, only a small number of surveillance sentinels need to be arranged to detect the risks in time. When there is a malicious risk in the computer system environment, the sentinel will be fully deployed, and the sentinel will be set up to ensure safety, so that the risk can be killed in the first time. It can be understood that the monitoring mode is, for example, two or more types. Each monitoring mode corresponds to a protection level, and the protection level is high. How to set the protection level to be low can be set by the research and development personnel. The embodiment of the present invention is in the following embodiments. The example is illustrated, but the manner of setting can be various, and is not limited to the following examples.

The above solution divides the computer system environment into different environmental security levels, and various monitoring modes match different environmental security degrees to ensure the safe use of the computer, and can also improve the influence of the security software on the fluency of the computer system and the user experience characteristics.

Further, the embodiment of the present invention further provides a scheme for intelligently switching the monitoring mode. The method further includes: in the process of performing the file file immediate protection, if the risk data is detected, selecting a monitoring mode that is higher than the current monitoring mode protection level. Then, the file system is immediately protected against the above computer system.

In an embodiment, the monitoring mode includes at least two monitoring modes. The higher the protection level of the monitoring mode, the more computer system resources are occupied, and the lower the protection level of the monitoring mode, the less computer system resources are occupied. It can be understood that the monitoring mode can be further divided into more monitoring modes, corresponding to more protection levels. The above two monitoring modes are not to be construed as limiting the embodiments of the present invention.

Further, the embodiment of the present invention further provides another solution for the smart handover monitoring mode, where the method further includes: In the process of real-time protection of file files, if the risk data is not detected within the predetermined time, the monitoring mode is lower than the current monitoring mode protection level, and then the file system is immediately protected against the above computer system.

In an embodiment, the embodiment of the present invention also provides an example of a protection strategy adopted by the protection level. Specifically, the monitoring mode with low protection level includes: partial events set by rule filtering, asynchronous monitoring of file execution events, and files. The write event filters and intercepts according to the set rule, and performs file scanning on the set events that need to be intercepted.

Optionally, the embodiment of the present invention further provides an example of a protection policy adopted by the protection level. Specifically, the monitoring mode with high protection level includes: part of the event filtering setting, file execution event synchronization monitoring, and file writing event. Fully intercept and scan files for intercepted events.

The embodiment of the present invention proposes a new idea to divide the computer system environment into different risk level scenarios, and implement different monitoring and interception strategies for different scenarios. The following example takes the foregoing two types of file file instant protection as an example, and describes in detail as follows: From the current computer environment and the statistics of the whole year, the possibility of malware risk on the computer is roughly several. Percentage of this level. That is to say, most of the user's computer environment is safe and risk-free, and most of the time users have no security risks. In other words, the user's machine does not actually need to use all the scans at all times to ensure security. As long as the risk is fully intercepted when the key triggers the risk. In most cases, only a light scan is required to solve the problem without creating a security risk. Therefore, this step determines whether the current environmental security of the computer system can determine whether the current computer system is in security. Full state.

The entire implementation manner of the embodiment of the present invention is similar to the sentinel strategy, and the monitoring sentinel is arranged according to the risk level divided by the computer environment. When the computer system environment is clean and there is no risk, only a small number of surveillance sentinels need to be arranged to detect the risks in time. When there is a malicious risk in the computer system environment, the sentinel will be fully deployed, and the sentinel will be set up to ensure safety, so that the risk can be killed in the first time.

The specific implementation ideas of the embodiments of the present invention are as follows: the file file instant protection has multiple sets of monitoring modes, a low resource mode focusing on performance, and a high security mode focusing on security. Performance-oriented low-resource mode only monitors specific events and files of specific rules, that is, only scans a small number of files to reach the role of the border sentinel, mainly to block the first case of Trojan virus intrusion. Paying attention to the high security mode of security, it will monitor the files of all file file operation events, and it will kill the risk and ensure the security of the computer system. The two sets of modes are dynamically intelligently switched, and the conditions for switching are the environmental scenarios of the computer system. When the border sentinel detects a Trojan virus intrusion in the low resource mode, it immediately switches the file archive instant protection mode to the high security mode to protect against the risk and comprehensively protect the machine. When in the high security mode, the Trojan virus is not detected for a period of time, that is, the computer system environment is safe and risk-free, then dynamically switches to low resource mode monitoring, and restores low resources to intercept in a pure environment. Mode, the impact on the user is very small, making the user machine run smoothly.

In general, the entire implementation process, with auto-adaptive capabilities, divides the computer system environment into different scenarios, and multiple modes automatically match the most suitable scenarios, so that the impact on the user is small, the experience is smooth, and the security capability There is also a balance of guarantees.

The following is a detailed description of the process of implementing the protection of the file file, the file file The implementation of the case protection is divided into three parts: 1. File protection for low-resource mode; 2. File protection for high-security mode; 3. Intelligent dynamic switching for file protection mode.

1. The file protection of the low resource mode is implemented. The interception steps are as shown in Figure 2, including:

201: File file operation event trigger. That is, the file system operation event occurs in the computer system.

202: Determine whether it is a specific event, if it is to enter 203, otherwise enter 206; the step specific event may be a write, execute event; the purpose of the step is: the rule filters part of the event, only monitors the write, executes the event; The file file operation events that occur in 201 are filtered according to predetermined rules.

203: Low resource mode rule filtering, only scanning specific files, specifically: file execution events, non-synchronization, asynchronous interception; file write events, filtering according to specific rules, only intercepting files in high risk situations.

204: Determine whether scanning is needed; if yes, enter 205; otherwise enter 207; wherein the file that needs to be intercepted in 203 is generally the file to be scanned.

205: Start scanning to determine if it is a malicious program.

206: Release meaningless events that are not of concern.

207: Release the low resource filter rule event.

Second, the high security mode file implementation protection, the interception steps are shown in Figure 3, including:

301: File file operation event trigger. That is, the file system appears in the computer system. Operational event.

302: Determine whether it is a specific event, if it is entering 303, otherwise enter 304; the step specific event may be a write, execute event; the purpose of the step is: the rule filters part of the event, only monitors the write, executes the event; The file file operation events occurring in 301 are filtered according to predetermined rules.

303: file execution event, synchronous interception; file write event, no filtering, comprehensive interception; for intercepted files, start scanning;

304: Release meaningless events that are not of concern.

3. The intelligent dynamic switching of the protection mode of the file implementation protection, as shown in FIG. 4, includes: 401: running in a low resource mode state; 402: determining whether a Trojan virus is detected and monitoring, entering 403; otherwise entering 401; : Immediately switch the intercept mode to dynamically switch to high security mode; 404: Run in the high security mode state; 405: Monitor for a period of time to determine if a Trojan virus is detected; if yes, enter 404, otherwise enter 406; 406: Switch to low resource mode and go to 401.

The embodiment of the present invention further provides a device for real-time protection of a file file, as shown in FIG. 5, comprising: a security degree determining unit 501, configured to determine a computer system during the process of protecting the file file from the protection processing unit 503. Current environmental safety; The mode selection unit 502 is configured to select a monitoring mode corresponding to the current environmental security degree; the higher the current environmental security degree is, the lower the monitoring mode protection level is, the lower the current environmental security degree is, the higher the monitoring mode protection level is; the protection processing unit 503, The monitoring mode selected by the mode selection unit 502 performs immediate file protection on the computer system.

The above solution divides the computer system environment into different environmental security levels, and various monitoring modes match different environmental security degrees to ensure the safe use of the computer, and can reduce the fluency of the security software to the computer system and the user experience.

Further, the embodiment of the present invention further provides a solution for the smart switching monitoring mode, where the mode selecting unit 502 is further configured to: when the protection processing unit 503 performs the file file instant protection, if the risk data is detected, Select a monitoring mode that is higher than the current monitoring mode.

Optionally, the optional monitoring mode of the mode selection unit 502 includes at least two monitoring modes. The higher the protection level of the monitoring mode, the more computer system resources are occupied, and the lower the protection level of the monitoring mode, the less computer system resources are occupied. . It can be understood that the monitoring mode can be further subdivided into more monitoring modes, corresponding to more protection levels. The above two monitoring modes should not be construed as limiting the embodiments of the present invention.

Further, the embodiment of the present invention further provides a solution for the smart switching monitoring mode. The mode selecting unit 502 is further configured to: if the protection processing unit 503 performs the file file protection immediately, if the predetermined time is not detected, For risk data, select a monitoring mode that is lower than the current monitoring mode, and then perform file file protection on the above computer system.

The embodiment of the present invention also provides an example of the protection policy adopted by the protection level. Specifically, the protection processing unit 503 is specifically configured to use the rule filtering setting if the mode selection unit 502 selects the monitoring mode with a low protection level. Some events, asynchronous execution of file execution events, file write events are filtered by the set rules, and files are scanned for events that need to be intercepted to perform file file protection on the computer system.

The embodiment of the present invention also provides an example of the protection policy adopted by the protection level. Specifically, the protection processing unit 503 is specifically configured to use the rule filtering setting if the mode selection unit 502 selects the monitoring mode with a high protection level. Partial events, file execution event synchronization monitoring, file write event interception, file scanning of intercepted events, and file system file protection for the above computer system.

The embodiment of the present invention further provides another image display control device. As shown in FIG. 6, for the convenience of description, only parts related to the embodiment of the present invention are shown. Without specific details, please refer to the present invention. Example method section. The terminal may be any terminal device including a mobile phone, a tablet computer, a personal digital assistant (PDA), a point of sales (POS), a car computer, and the like, and the terminal is a mobile phone as an example: FIG. 6 shows It is a block diagram of a part of the structure of a mobile phone related to the terminal provided by the embodiment of the present invention. Referring to FIG. 6, the mobile phone includes: a radio frequency (RF) circuit 610, a memory 620, an input unit 630, a display unit 640, a sensor 650, an audio circuit 660, and a wireless fidelity (WiFi) module. 670, processor 680, and power supply 690 and the like. It will be understood by those of ordinary skill in the art that the structure of the mobile phone shown in FIG. 6 does not constitute a limitation to the mobile phone, may include more or less components than those illustrated, or may combine certain components, or Different parts are arranged.

The following describes the components of the mobile phone in detail with reference to FIG. 6: the RF circuit 610 can be used for receiving and transmitting signals during the transmission or reception of information or during a call, and in particular, receiving downlink information of the base station and processing it to the processor 680. In addition, the design of the uplink data is sent to the base station. Generally, RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuitry 60 can also communicate with the network and other devices via wireless communication. The above wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division). Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), and the like.

The memory 620 can be used to store software programs and modules. The processor 680 executes various functional applications and data processing of the mobile phone by running software programs and modules stored in the memory 620. The memory 620 can mainly include a storage program area and a storage data area, wherein the storage program area can store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.); Stores data created based on the use of the phone (such as audio data, phone book, etc.). In addition, memory 620 can include high speed random access memory, and can also include non-volatile memory, such as at least one disk memory device, flash memory device, or other volatile solid state memory device.

The input unit 630 can be configured to receive input digit or character information and to generate key signal inputs related to user settings and function control of the handset 600. Specifically, the input unit 630 can include touch panel 631 and other input devices 632. The touch panel 631, also referred to as a touch screen, can collect touch operations on or near the user (eg, the user uses a finger, a stylus, or the like on the touch panel 631 or near the touch panel 631. Operation) and drive the corresponding connection device according to a preset program. In an embodiment, the touch panel 631 includes two parts of a touch detection device and a touch controller. Wherein, the touch detection device detects the touch orientation of the user, and detects a signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts the touch information into a contact coordinate, and sends the touch information The processor 680 is provided and can receive commands from the processor 680 and execute them. In addition, the touch panel 631 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch panel 631, the input unit 630 may also include other input devices 632. Specifically, the other input device 632 may include but is not limited to one of a physical keyboard (ie, a physical keyboard or a mechanical keyboard), function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, or the like. A variety.

The display unit 640 can be used to display information input by the user or information provided to the user and various function tables of the mobile phone. The display unit 640 can include a display panel 641. Alternatively, the display panel 641 can be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 631 can cover the display panel 641. When the touch panel 631 detects a touch operation on or near it, the touch panel 631 transmits to the processor 680 to determine the type of the touch event, and then the processor 680 according to the touch event. The type provides a corresponding visual output on display panel 641. Although in FIG. 6, the touch panel 631 and the display panel 641 are used as two independent components to implement the input and input functions of the mobile phone, in some embodiments, the touch panel 631 and the display panel 641 may be set. The input and output functions of the mobile phone are realized.

The handset 600 can also include at least one sensor 650, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 641 according to the brightness of the ambient light, and the proximity sensor may move to the mobile phone to When the ear is closed, the display panel 641 and/or the backlight are turned off. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in all directions (usually three axes). When it is still, it can detect the magnitude and direction of gravity. It can be used to identify the gesture of the mobile phone (such as horizontal and vertical screen). Switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; as for the gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. The detector will not be described here.

Audio circuit 660, speaker 661, and microphone 662 provide an audio interface between the user and the handset. The audio circuit 660 can transmit the converted electrical signal of the audio data to the speaker 661, and convert it into a sound signal output by the speaker 661. On the other hand, the microphone 662 converts the collected sound signal into an electrical signal, and the audio circuit 660. After receiving, it is converted into audio data, and then processed by the audio data output processor 680, sent to the mobile phone 610 via the RF circuit 610, or output audio data to the memory 620 for further processing.

WiFi is a short-range wireless transmission technology. The mobile phone can help users to send and receive emails, browse web pages and access streaming media through the WiFi module 670, which provides wireless broadband Internet access for users. Although FIG. 6 shows the WiFi module 670, it can be understood that it does not belong to the essential configuration of the mobile phone 600, and may be omitted as needed within the scope of not changing the essence of the invention.

The processor 680 is a control center of the mobile phone, and is connected by various interfaces and lines. Each part of the mobile phone performs various functions and processing data of the mobile phone by running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory 620, thereby performing overall on the mobile phone. monitor. In an embodiment, the processor 680 includes one or more processing units; in a preferred embodiment, the processor 680 can integrate an application processor and a modem processor, wherein the application processor primarily processes the operating system, The user interface and applications, etc., the modem processor primarily handles wireless communications. It can be understood that the above modem processor may also not be integrated into the processor 680.

The handset 600 also includes a power source 690 (such as a battery) that powers the various components. In a preferred embodiment, the power source can be logically coupled to the processor 680 via a power management system to manage charging, discharging, and power through the power management system. Consumption management and other functions.

Although not illustrated, the mobile phone 600 may further include an imaging lens, a Bluetooth module, and the like, and details are not described herein again.

In the embodiment of the present invention, the processor 680 included in the terminal further has the following functions: determining the current environmental security degree of the computer system in the process of performing file file immediate protection; and selecting the monitoring mode corresponding to the current environmental security degree. Instantly protect file files on the above computer system; the higher the current environmental security level, the lower the protection level of the monitoring mode, and the lower the current environmental security level, the higher the protection level of the monitoring mode.

From the current computer environment and the statistics of the whole year, the possibility of malware risk on the computer is roughly a few percentage points. That is to say, most of the user's computer environment is safe and risk-free, and most of the time users have no security risks. That is It is said that the user's machine does not necessarily have to use all the scans at all times to ensure security. As long as the risk is fully intercepted when the key triggers the risk. In most cases, only a light scan is required to solve the problem without creating a security risk. Therefore, this step determines whether the current environmental security of the computer system can determine whether the current computer system is in a safe state.

When the monitoring mode is low, it can be called a sentinel strategy, and the monitoring sentinel is arranged according to the risk level divided by the computer environment. When the computer system environment is clean and there is no risk, only a small number of surveillance sentinels need to be arranged to detect the risks in time. When there is a malicious risk in the computer system environment, the sentinel will be fully deployed, and the sentinel will be set up to ensure safety, so that the risk can be killed in the first time. It can be understood that the monitoring mode can be two or more, and each monitoring mode corresponds to a protection level, and the protection level is high. How to set the protection level can be set by the research and development personnel, and the embodiment of the present invention is implemented in the subsequent embodiment. An example will be given in the example, but there are many ways to set it, and it is not limited to the following examples.

The above solution divides the computer system environment into different environmental security levels, and various monitoring modes match different environmental security degrees to ensure the safe use of the computer, and can reduce the fluency of the security software to the computer system and the user experience.

Further, the embodiment of the present invention further provides a scheme for intelligently switching the monitoring mode, and the processor 680 is further configured to: if the risk data is monitored during the process of performing the file file immediate protection, select the monitoring with higher protection level than the current monitoring mode. Mode, then perform file file instant protection on the above computer system.

In an embodiment, the monitoring mode includes at least two monitoring modes, and the higher the protection level of the monitoring mode, the more computer system resources are occupied, and the lower the protection level of the monitoring mode. The less computer system resources are occupied.

It can be understood that the monitoring mode can continue to be subdivided into more monitoring modes, corresponding to more protection levels. The above two monitoring modes should not be limited to the present invention as a preferred solution.

Further, the embodiment of the present invention further provides another scheme for intelligently switching the monitoring mode. The processor 680 is further configured to: when the risk data is not monitored within a predetermined time in the process of performing file file immediate protection, select the current monitoring. The mode of protection with low level of protection is applied, and then the file system is immediately protected against the above computer system.

In an embodiment, the monitoring mode with low protection level includes: part of the event filtering setting, asynchronous monitoring of the file execution event, file writing event filtering and intercepting according to the setting rule, and file scanning for the set event that needs to be intercepted.

In an embodiment, the monitoring mode with high protection level includes: part of the event filtering setting, synchronous monitoring of the file execution event, comprehensive interception of the file writing event, and file scanning of the intercepted event.

It should be noted that, in the foregoing device embodiments, the included units are only divided according to functional logic, but are not limited to the foregoing division, as long as the corresponding functions can be implemented; in addition, the specific names of the functional units It is also for convenience of distinguishing from each other and is not intended to limit the scope of protection of the present invention.

In addition, those skilled in the art to which the present invention pertains can understand that all or part of the steps in implementing the foregoing method embodiments can be performed by a program to instruct related hardware, and the corresponding program can be stored in a computer readable storage medium. The storage medium mentioned above may be a read-only memory, a magnetic disk or a compact disk.

While the invention has been described above in terms of the preferred embodiments, the invention is not intended to limit the invention, and the invention may be practiced without departing from the spirit and scope of the invention. The scope of protection of the present invention is therefore defined by the scope of the appended claims.

101~102‧‧‧Steps

Claims (10)

A method for real-time protection of a file file includes the following steps: determining a current environmental security degree of the computer system during an immediate protection process of the file file; and selecting a monitoring mode corresponding to the current environmental security degree to the computer The system performs the instant protection of the file file, the higher the current environmental security degree, the lower the protection level of the monitoring mode, the lower the current environmental security degree, the higher the protection level of the monitoring mode; In the process of performing the instant protection of the file file, if the risk data is not detected within a predetermined time, a mode lower than the current monitoring mode protection level is selected as the monitoring mode, and then the file is performed on the computer system. Instant file protection. The method of claim 1, further comprising: in the process of performing the immediate protection of the file file, if the risk data is detected, selecting a mode higher than the current monitoring mode protection level as the monitoring mode, The file system is then immediately protected against the computer system. The method of claim 1, wherein the monitoring mode comprises at least two monitoring modes, and the higher the protection level of one of the at least two monitoring modes, the more computer system resources are occupied, The lower the degree of protection of the other of the at least two monitoring modes, the less computer system resources are occupied. The method of any one of claims 1 to 3, wherein the monitoring mode with a low level of protection is selected from a partial event set by a rule filter, an asynchronous monitoring of a file execution event, and an archive write event. Set up rule filtering interception and grouping of files scanned for events that need to be intercepted. The method of any one of claims 1 to 3, wherein the monitoring mode with a high degree of protection is selected from a partial event set by rule filtering, a synchronous monitoring of file execution events, a comprehensive interception of file write events, and A group of archived scans of intercepted events. A device for real-time protection of a file file, comprising: a security degree determining unit, configured to determine a current environmental security degree of the computer system during a process of protecting the file file in the protection processing unit; and a mode selection unit for selecting and The monitoring mode corresponding to the current environmental security degree, the higher the current environmental security degree, the lower the protection mode protection level, the lower the current environmental security degree, the higher the monitoring mode protection level, wherein the The mode selection unit is further configured to: when the protection processing unit performs the file file immediate protection, if the risk data is not detected within the predetermined time, select a monitoring mode that is lower than the current monitoring mode protection level, and then The computer system performs real-time protection on the file file; the protection processing unit uses the monitoring mode selected by the mode selection unit to perform immediate protection on the file system on the computer system. The device for immediate protection of a file file according to claim 6 , wherein the mode selection unit is further configured to: in the process of performing immediate protection of the file file in the protection processing unit, if the risk data is monitored, selecting the current ratio Monitor mode with high level of protection. The device for protecting the file file according to the sixth aspect of the patent application, wherein the mode selection unit selects a monitoring mode including at least two monitoring modes, and the higher the protection level of the monitoring mode, the more computer system resources are occupied, and the monitoring The lower the level of protection of the mode, the less computer system resources are occupied. The apparatus for real-time protection of a file file according to any one of claims 6 to 8, wherein the protection processing unit is configured to filter the rule if the mode selection unit selects a monitoring mode with a low protection level. The set part of the event, the file execution event asynchronous monitoring, the file writing event is filtered according to the set rule, and the file that needs to be intercepted is scanned for the file to immediately protect the file system. The apparatus for real-time protection of a file file according to any one of claims 6 to 8, wherein the protection processing unit is configured to use a rule filtering setting if the mode selection unit selects a monitoring mode with a high protection level. Part of the event, file execution event synchronization monitoring, file write event comprehensive interception, file scanning of the intercepted event to immediately protect the file system of the computer system.