WO2015014259A1 - Method and device for accelerating anti-virus scanning cross-reference to related applications - Google Patents

Method and device for accelerating anti-virus scanning cross-reference to related applications Download PDF

Info

Publication number
WO2015014259A1
WO2015014259A1 PCT/CN2014/083171 CN2014083171W WO2015014259A1 WO 2015014259 A1 WO2015014259 A1 WO 2015014259A1 CN 2014083171 W CN2014083171 W CN 2014083171W WO 2015014259 A1 WO2015014259 A1 WO 2015014259A1
Authority
WO
WIPO (PCT)
Prior art keywords
files
file
scanning
scan
identified
Prior art date
Application number
PCT/CN2014/083171
Other languages
French (fr)
Other versions
WO2015014259A8 (en
Inventor
Zixiao NIE
Original Assignee
Tencent Technology (Shenzhen) Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology (Shenzhen) Company Limited filed Critical Tencent Technology (Shenzhen) Company Limited
Publication of WO2015014259A1 publication Critical patent/WO2015014259A1/en
Publication of WO2015014259A8 publication Critical patent/WO2015014259A8/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Definitions

  • the present disclosure relates to the information technology field , and more particularly to a scanning acceleration method and device thereof.
  • Scanning is one of the key security features provided by current mainstream security software. Anti-virus scanning plays a very crucial role in maintaining system security and protecting users' privacy and property safety. It is also the security features that often used by users on the computer. As for Trojan virus scanning, it is required to do an overall scan to ensure that no malicious files exist on the user's computer disk so as to achieve the best security results, and the most thorough risk assessment.
  • the conventional security software provides some solutions to overcome the above shortcoming, such as: at first, caching scan results of a file; using the above cached results as the scan result when performing the next scan, thus, the scanning speed is speeded up.
  • the detailed procedures for the conventional scanning method are as follows:
  • Enumerating all of the files, and executing viruses and Trojans scan when performing an initial overall scan; after the initial overall scan, saving the scan results in the database file, and writes validation attributes and file attributes into the database file.
  • the user selects an overall scan next time, if enumerating a file, firstly checking whether the file that within the database already exists in the scan results of the file is located above the path, then executing the file scanning operation if no results, obtaining current attributes (mainly modification time, file size, etc.) of the file if the result is attained, and compared with the previous writing file attributes to verify whether the file is changed by comparing; If the file is changed, determining the results of the database file does not belong to the file, and performing the scanning operation on the file. If the verification is passed, confirming that the results of the database file belong to the file, and using the result of the database file as the scan results of the file, thereby omitting the file scanning operation, thus an efficient scanning can be realized.
  • methods for accelerating anti-virus scanning include recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed by a computing device having a processor; and selectively scanning files in the file system that were identified as modified based on the recorded information.
  • the methods can further include selectively skipping scanning directories that were identified as not modified based on the recorded information, wherein the recorded information further includes changes made to directories which include the selected set of files in real time.
  • the methods can further include selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
  • the information about changes made to the selected set of files in the file system in real time as a result of an I/O operation having been processed can be recorded by a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system.
  • the methods may also include a step of determining a file as modified if the processed I/O operation involves a write or modify operation.
  • the methods can include updating scan results to the log file after a scan was performed on the set of files that were identified as modified.
  • the device includes at least a processor with circuitry operating in conjunction with at least a memory which stores instruction codes operable as a plurality of modules.
  • the plurality of modules include a monitor unit which monitors changes made to a selected set of files in real time as a result of an I/O operation having been processed; a recording unit which records information about changes made to the selected set of files in real time; and a scanning control unit which selectively scans files in the file system that were identified as modified based on the recorded information.
  • a non-transitory computer-readable storage medium includes a set of instructions for accelerating anti-virus scanning.
  • the set of instructions direct at least one processor to perform acts of: recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; and selectively scanning files in the file system that were identified as modified based on the recorded information.
  • FIG. 1 is a flowchart of a method according to one embodiment of the present disclosure
  • FIG. 2 is a flowchart of a method according to another embodiment of the present disclosure.
  • FIG. 3 is a flowchart of a method according to another embodiment of the present disclosure.
  • FIG. 4 is a structural block diagram of an exemplary embodiment of a device of the present disclosure.
  • FIG. 5 is a structural block diagram of another exemplary embodiment of a device of the present disclosure.
  • FIG. 6 is a structural block diagram of another exemplary embodiment of a device of the present disclosure.
  • Fig. 7 is a structural block diagram of another exemplary embodiment of a device of the present disclosure.
  • the example may include a particular feature, structure, or characteristic, but every example may not necessarily include the particular feature, structure or characteristic. This should not be taken as a suggestion or implication that the features, structure or characteristics of two or more examples, or aspects of the examples, should not or could not be combined, except when such a combination is explicitly excluded.
  • a virus may include programs, such as, for example, a destructive program that is disguised as a benign program (i.e. a Trojan Horse), a program that covertly performs an operation without the user's consent or knowledge (e.g. spyware), or other unfriendly or malicious programs.
  • programs such as, for example, a destructive program that is disguised as a benign program (i.e. a Trojan Horse), a program that covertly performs an operation without the user's consent or knowledge (e.g. spyware), or other unfriendly or malicious programs.
  • the present disclosure discloses a method for accelerating antivirus scanning, as shown in Fig. 1, the method includes the following steps:
  • Step 101 recording, by a computing device having a processor, information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed;
  • the file real-time monitoring can be realized according to a file system filter driver that provided by the operating system.
  • the file system filter driver can intercept all of the file input/output (I/O) operations information and detect changes to certain files by monitoring the I/O operations. If an application tries to perform an operation which writes to the file, such as changing the contents of the file and the like, the file filter drivers are capable of capturing and recording. Thus, relying on the real-time monitoring technology to files, the modification of the arbitrary file within the system can be completely monitored.
  • the information about changes made to files in the file system can be recorded into a log file. In some embodiments, the information can also be recorded into a database.
  • log file and “database” are used herein interchangeably.
  • determining that a file is to be changed by file real-time monitoring comprises: determining the classification of file operation event after file operation event is captured by file real-time monitoring, if the classification is an event of file change, determining the file that the operation event pointing to is changed.
  • the processed I/O operation involves a write or modify operation on a file, then the file is identified as modified. The follow-up embodiment will give a more detailed explanation about this step.
  • recording the information about changes made to files in the file system into a database or a log file comprises: recording the information about the directories or sub-directories where the changed file is located into a database or a log file.
  • the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes.
  • the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
  • the embodiments of the present disclosure also provide another solution to provide a higher accuracy of the results of the scan, as follows: based on the method of recording the change of the directories in the file system, the method for accelerating anti-virus scanning in the present disclosure can also include recording the information about changes made to files within the changed directories or changed sub-directories into a database or a log file.
  • the embodiments according to present disclosure can not only record and monitor the information about directories in which files have been changed in real-time, but also monitor and record information about changes made to files.
  • the method for accelerating anti-virus scanning in the present disclosure can also include the following steps. Firstly, enumerating directories as doing the operation of enumeration, skipping the enumerated directory if the directory has not been changed, enumerating the files within the enumerated directory after determining the directory has been changed. By doing this, the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
  • Step 102 selectively scanning files in the file system that were identified as modified based on the recorded information.
  • this step involves enumerating files after the scanning is started, if the enumerated file is determined to be modified according to the recorded information in the database or log file, executing the scanning operation to the enumerated file, otherwise, skipping the scan for the enumerated file.
  • the embodiments according to the present disclosure can thus monitor and record precisely information about changes made to files in in real time as a result of an I/O operation having been processed, and skipped the scanning for those unchanged files, while not exposing to the risk of being bypassed by viruses or Trojan programs. Therefore, the present disclosure provides a safe and efficient scanning solution with a higher scanning speed.
  • the step of recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed includes: recording information about directories under which files have been changed or modified, then the step of 102, i.e. selectively scanning files in the file system that were identified as modified based on the recorded information, further includes: :
  • the method for accelerating anti-virus scanning further comprises: enumerating the files within the enumerated file directory, if the enumerated file is determined to be changed according to the recorded information, carrying out scanning operation to the enumerated files; otherwise, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
  • the method may also include: saving the scan results of an initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
  • the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
  • the present disclosure also provides an embodiment to update the results file or results database.
  • the method for accelerating anti-virus scanning can further include the following step: after carrying out scanning operation to the enumerated file or the enumerated file directory further comprises: updating the scanning results into the result database or the log file after a scan was performed on the files that were identified as modified.
  • the present disclosure relies on real-time file monitoring technology.
  • the file real-time monitoring can be realized according to a file system filter driver that provided by the operating system.
  • the file system filter driver can intercept all of the file input/output (I/O) operations information and detect changes to certain files and directories by monitoring the I/O operations. If an application tries to perform an operation which writes or modifies the file, such as changing the contents of the file and the like, the file filter drivers are capable of intercepting the I/O requests and recording/logging the operation.
  • the real-time monitoring technology on files the modification of a file or the directory which contains the file in the file system can be completely monitored.
  • the information about changes made to the files and directories in the system in real time can thus be recorded into a log file or a database.
  • the database or log file which records changed information can generally be recorded in the local disk by the form of a list of records.
  • the above embodiments maintain the database of lists of local disk file directory changes by real-time monitoring. After a user selects an overall scan, during the overall scan process, once the enumerated directory is not found in the above mentioned lists of file directory changes, scan of this directory will be skipped, and the previous scan results for this directory will be used. In the case that merely changed directories were recorded, but not the scan results of all files in a directory, only the directories that have been scanned and no risk of malicious program has been detected will be skipped. Since most directories will be safe in most application scenarios, thus in an overall scan, only those changed directories need to be scanned. For those changed directories, the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes. Thus only a few files need to be scanned, which can reduce the scan time to a very low value.
  • the inventors did some actual test according to some embodiments of the present disclosure.
  • the inventors obtained some comparative results of the scan data using a common scanning method (i.e., simple scanning without any speed acceleration), an accelerated scanning with the conventional acceleration method, and an accelerated scanning using the embodiment
  • the data are obtained by testing in the same computer, and all scans are all firstly performed in a new environment, and again after being used one day by computers and users.
  • the system used in the test environment is Windows xp sp3, 1 GB for physical memory, single core for CPU (Central Processing Unit).
  • the comparative data are shown in Table 1.
  • an exemplary embodiment can include two main functional parts: 1) maintaining database that records system file directory changes by real-time monitoring; 2) speeding up overall scan.
  • Step 201 a file operation event occurs in a system
  • Step 202 capturing the operation event by real-time file monitoring
  • Step 203 determining whether the captured operation event involves a write or modify operation to a file, if yes, go to step 205, otherwise, go to step 204;
  • Step 204 Executing the operation event without recording, and returning to 201 ;
  • Step 205 Executing the operation event, recording the directory under which a file is changed by the operation event to a local database which keeps file directory changes, and returning to Step 201.
  • a full disk scanning with the acceleration method provided herein may include:
  • Step 301 receiving a full scan operation selected by a user
  • Step 302 starting scanning and enumerating the directories in the disk
  • Step 303 after enumerating a directory, querying the file directory changes in a local database, if no changes found for the enumerated directory, entering 304; otherwise entering 305;
  • Step 304 if the enumerated directory is determined to be not changed, selectively skipping scanning the enumerated directory, and returning to 302;
  • Step 305 if the enumerated directory is determined to be changed, executing scanning operation to the enumerated directory, and returning to 302.
  • Step 302 to Step 305 can be executed repeatedly until all directories are enumerated, then exiting the overall scan process.
  • a device for accelerating anti-virus scanning can include a monitoring unit 401 which monitors changes made to a selected set of files in real time as a result of an I/O operation having been processed; a recording unit 402 which records information about changes made to the selected set of files in real time to a database monitored by the monitoring unit 401 ; and a scanning control unit 403 which selectively scans files in the file system that were identified as modified based on the recorded information in the database.
  • the above embodiments herein can thus monitor and record precisely information about changes made to files as a result of real time monitoring, and safely skipped the scanning for those unchanged files, while not exposing to the risk of being bypassed by some malicious programs which happens often in conventional acceleration method due to the fact that lightweight detection is used in the conventional acceleration method. Therefore, the present disclosure provides a safe and efficient scanning solution with a higher scanning speed.
  • An exemplary embodiment of the device according to the present disclosure can include the recording unit 402, which records information about changes made to directories under which one of the selected files was changed to a database or a log file in real time monitored by the monitoring unit 401 ; and the scanning control unit 403 which selectively skips scanning files that were identified as not modified under the directories based on the recorded information.
  • the above-mentioned scanning control unit 403 can enumerate a file directory after the scanning is started. If the enumerated file directory is determined to be changed according to the database, the scanning operation will be executed to the enumerated file directory, otherwise the scanning operation to the enumerated file directory will be skipped.
  • the amount of changed information of directory is not very large, so the information about the directories under which a file has been changed can be fully recorded.
  • recording the changed information in terms of "directory” as a unit is better than recording the changed information in terms of "file”, because during the scanning process, the enumeration disk also has overhead loss, the entire directory can be skipped if a directory is not changed, thus reducing the enumeration overhead of internal directory, as well as the subsequent overhead of determining whether there is a change. Therefore, the scan time will be much shorter.
  • the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e.
  • the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
  • the present disclosure provides another solution that provides higher accuracy of scanning results as well.
  • the exemplary embodiment of the device according to the present disclosure can include: the recording unit 402, which records information about changes made to directories under which one of the selected files was changed to a database or a log file in real time monitored by the monitoring unit 401 ; the scanning control unit 403 mentioned above, which can also enumerate files in the enumerated file directory after the directory has been determined to be changed, and skip the enumerated directory if the directory has not been changed.
  • the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
  • the monitoring unit 401 can also be configured to determine a file as modified if the captured processed I/O operation in real time involves a write or modify operation. If the operation on a file is determined to involving a write or modify operation, it can be determined that the file on which the operation is executed has been modified.
  • the device herein may further comprise: a memory unit 501 which saves the scan results of an initial scanning into the result database, and a result reading unit 502 which reads the saved results of the enumerated file from the result database to the memory unit 501 if a scanning operation has been skipped for the enumerated file.
  • a memory unit 501 which saves the scan results of an initial scanning into the result database
  • a result reading unit 502 which reads the saved results of the enumerated file from the result database to the memory unit 501 if a scanning operation has been skipped for the enumerated file.
  • the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
  • the present disclosure also provides a device which can update the results file or results database.
  • the above-mentioned exemplary device may further comprise: a data updating unit 601 which can update the scanning results into the result database after the scanning control unit 403 executes scanning operation to the enumerated file or enumerated file directory.
  • the result data in the result database can be made stay accurate, so as to provide basis for providing users with accurate and comprehensive scanning results.
  • the device can be any terminal unit such as a mobile phone, a Tablet PC, a PDA (Personal Digital Assistant), a POS (Point of Sales), or a vehicle-mounted computer.
  • a mobile phone a tablet PC
  • PDA Personal Digital Assistant
  • POS Point of Sales
  • vehicle-mounted computer a vehicle-mounted computer
  • Fig. 7 is a partially schematic block diagram of a mobile phone according to one embodiment of the present disclosure.
  • the mobile phone includes a radio frequency (RF) circuit 710, a memory 720, an input unit 730, a display unit 740, a sensor 750, an audio circuit 760, a wireless fidelity (WiFi) module 770, a processor 780, and a power 790, etc.
  • RF radio frequency
  • the RF circuit 710 is configured to receive and send signals during calling or process of receiving and sending message. Specially, the RF circuit 710 will receive downlink information from the base station and send it to the processor 780; or send uplink data to the base station.
  • the RF circuit 710 may include, but not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a diplexer, and the like.
  • the RF circuit 70 can communicate with network or other devices by wireless communication.
  • Such wireless communication can use any one communication standard or protocol, which may include, but not limited to, Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, or Short Messaging Service (SMS).
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long Term Evolution
  • SMS Short Messaging Service
  • the memory 720 is configured to store software programs and modules which are run by the processor 780 to perform multiple functional applications of the mobile phone and data processing.
  • the memory 720 mainly includes storing program area and storing data area.
  • the storing program area can store the operating system, at least one application program with required function (such as sound playing function, image playing function, etc.).
  • the storing data area can store data established by mobile phone according to actual use need (such as audio data, phonebook, etc.)
  • the memory 720 can be high-speed random access memory, or nonvolatile memory, such as disk storage, flash memory device, or other volatile solid-state memory devices.
  • the input unit 730 can receive the entered number or character information, and the entered key signal related to user setting and function control of the mobile phone 700.
  • the input unit 730 can include a touch panel 731 or other input devices 732.
  • the touch panel 731 also called as a touch screen, can collect user's touch operations thereon or nearby (for example the operations generated by fingers of user or touchpen, and the like, touching on the touch panel 731 or touching near the touch panel 731), and drive the corresponding connection device according to the preset program.
  • the touch panel 731 may include two portions including a touch detection device and a touch controller.
  • the touch detection device can detect the touch position of the user and signals accordingly, and then send the signals to the touch controller. Subsequently, the touch controller may receive touch information from the touch detection device, and convert it to contact coordinates which are to be sent to the processor 780, and then receive command sent by the processor 780 to perform.
  • the input unit 730 can include, but not limited to, other input devices 732, such as one or more selected from physical keyboard, function keys (such as volume control keys, switch key-press, etc.), a trackball, a mouse, and an operating lever, etc.
  • the display unit 740 can display information entered by the user or information supplied to the user, and menus of the mobile phone.
  • the display unit 740 may include a display panel 741, such as a Liquid Crystal Display (LCD), or an Organic Light- Emitting Diode (OLED).
  • the display panel 741 can be covered by the touch panel 731 , after touch operations are detected on or near the touch panel 731 , they will be sent to the processor 780 to determine the type of the touching event. Subsequently, the processor 780 can supply the corresponding visual output to the display panel 741 according to the type of the touching event.
  • the touch panel 731 and the display panel 741 are two individual components to implement input and output of the mobile phone, but in some embodiments, they can be integrated together to implement the input and output in some embodiments.
  • the mobile phone 700 includes at least one sensor 750, such as light sensors, motion sensors, or other sensors known in the art.
  • the light sensors can include ambient light sensors which can adjust brightness of the display panel 741 according to the ambient light, and proximity sensors which can turn off the display panel 741 and/or maintain backlight when the mobile phone is placed near the ear side.
  • Accelerometer sensor as one of the motion sensors can detect the magnitude of accelerations in every direction (Triaxial, generally), and detect the magnitude and direction of gravity in an immobile status, which is applicable to applications of identifying attitudes of the mobile (such as switching between horizontal and vertical screens, related games, magnetometer attitude calibration, etc.), vibration recognition related functions (such as pedometer, percussion, etc.).
  • the mobile phone 700 also can configure other sensors (such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc.) whose detailed descriptions are omitted here.
  • the audio circuit 760, the speaker 761 and the microphone 762 supply an audio interface between the user and the mobile phone.
  • the audio data is received and converted to electrical signals by audio circuit 760, and then transmitted to the speaker 761, which are converted to sound signal to output. Meanwhile, the sound signal collected by the speaker is then converted to electrical signals which will be received and converted to audio data. Subsequently, the audio data are output to the processor 780 to process, and then sent to another mobile phone via the RF circuit 710, or sent to the memory 720 to process further.
  • WiFi pertains to short-range wireless transmission technology providing a wireless broadband Internet, by which the mobile phone can help the user to receive and send email, browse web, and access streaming media, etc.
  • WiFi module 770 is illustrated in Fig. 7, it should be apparent to those skilled in the art that, WiFi module 770 is not a necessary for the mobile phone, which can be omitted according the actual demand without changing the essence of the present disclosure.
  • the processor 780 can be a control center of the mobile phone, which connects with every part of the mobile phone by various interfaces or circuits, and performs various functions and processes data by running or performing software program/module stored in the memory 720 or calling data stored in the memory 720, so as to monitor the mobile phone.
  • the processor 780 may include one or more processing units.
  • the processor 780 can integrate with application processors and modem processors, for example, the application processors include processing operating system, user interface and applications, etc.; the modern processors are used for performing wireless communication. It can be understood that, it's an option to integrate the modern processors to the processor 780.
  • the mobile phone 700 may include a power supply (such as battery) supplying power for each component, preferably, the power supply can connect with the processor 780 by power management system, so as to manage charging, discharging and power consuming.
  • a power supply such as battery
  • the power supply can connect with the processor 780 by power management system, so as to manage charging, discharging and power consuming.
  • the mobile phone 700 may include a camera, and a Bluetooth module, etc., which are not illustrated.
  • the processor 780 in the terminal may include the following functions: recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; after a file is determined to be changed by file real-time monitoring, and after scanning being started, enumerating files; if the enumerated file is determined to be changed according to the recorded database, executing scanning operation to the enumerated file; otherwise, skipping the scanning operation to the enumerated file.
  • a real time file monitor as a result of an I/O operation having been processed can be performed by a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system.
  • a file filter driver is able to intercept all file I/O requests and monitor the operations to detect changes made to files. If there is an operation of changing file content, such as attempting to write into the file, by certain application programs, a file filter driver is able to capture and record. Thus by file real-time monitoring, any file modification in system can be monitored entirely.
  • recording the information about changes made to files in the file system into a database or a log file in real time may comprise: after a file operation event is captured by a real-time file monitor, determining whether the captured operation event involves a write or modify operation to a file, if yes, the classification of the operation is a file change event, and the file is determined to be changed. Subsequent embodiment will provide more detailed explanation to this issue.
  • recording the information about changes made to files in the file system into a database or a log file comprises: recording the information about the directories or sub-directories where the changed file is located into a database or a log file.
  • the amount of changed information of directory is not very large, so the information about the directories under which a file has been changed can be fully recorded.
  • recording the changed information in terms of "directory” as a unit is better than recording the changed information in terms of "file”, because during the scanning process, the enumeration disk also has overhead loss, the entire directory can be skipped if a directory is not changed, thus reducing the enumeration overhead of internal directory, as well as the subsequent overhead of determining whether there is a change. Therefore, the scan time will be much shorter.
  • the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes.
  • the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
  • the embodiments of the present disclosure also provide another solution to provide a higher accuracy of the results of the scan, as follows: based on the method of recording the change of the directories in the file system, the method for accelerating anti-virus scanning in the present disclosure can also include recording the information about changes made to files within the changed directories or changed sub-directories into a database or a log file.
  • the embodiments according to present disclosure can not only record and monitor the information about directories in which files have been changed in real-time, but also monitor and record information about changes made to files.
  • the method for accelerating anti-virus scanning in the present disclosure can also include the following steps. Firstly, enumerating directories as doing the operation of enumeration, skipping the enumerated directory if the directory has not been changed, enumerating the files within the enumerated directory after determining the directory has been changed. By doing this, the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
  • the step of recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed includes: recording information about directories under which files have been changed or modified, then the step of selectively scanning files in the file system that were identified as modified based on the recorded information, further includes: :
  • the method for accelerating anti- virus scanning further comprises: enumerating the files within the enumerated file directory, if the enumerated file is determined to be changed according to the recorded information, carrying out scanning operation to the enumerated files; otherwise, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
  • the method may also include: saving the scan results of an initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
  • the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
  • the present disclosure also provides an embodiment to update the results file or results database.
  • the method for accelerating anti-virus scanning can further include the following step: after carrying out scanning operation to the enumerated file or the enumerated file directory further comprises: updating the scanning results into the result database or the log file after a scan was performed on the files that were identified as modified.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Measuring Or Testing Involving Enzymes Or Micro-Organisms (AREA)
  • Micro-Organisms Or Cultivation Processes Thereof (AREA)

Abstract

The present disclosure discloses methods and devices for accelerating anti-virus scanning. The methods include recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed by a computing device having a processor and selectively scanning files in the file system that were identified as modified based on the recorded information. When the recorded information includes changes made to directories which include the selected set of files in real time, the method further comprises selectively skipping scanning directories that were identified as not modified based on the recorded information.

Description

METHOD AND DEVICE FOR ACCELERATING ANTI- VIRUS SCANNING CROSS-REFERENCE TO RELATED APPLICATIONS
[0001 ] This application claims priority to a Chinese Patent Application No. 201310323071.0, filed on July 29, 2013, which is incorporated by reference in its entirety.
FIELD OF THE TECHNOLOGY
[0002] The present disclosure relates to the information technology field , and more particularly to a scanning acceleration method and device thereof.
BACKGROUND
[0003] Scanning is one of the key security features provided by current mainstream security software. Anti-virus scanning plays a very crucial role in maintaining system security and protecting users' privacy and property safety. It is also the security features that often used by users on the computer. As for Trojan virus scanning, it is required to do an overall scan to ensure that no malicious files exist on the user's computer disk so as to achieve the best security results, and the most thorough risk assessment.
[0004] However, the overall scanning technology in the current conventional implementations exist a big shortcoming: the scanning time is very long. This technological shortcoming seriously reduces user experience. Most users give up doing a routine overall scan on the computer because it takes too long to do a full scan, which leads to a lot of the risk of malicious and users' property damage.
[0005] At present, the conventional security software provides some solutions to overcome the above shortcoming, such as: at first, caching scan results of a file; using the above cached results as the scan result when performing the next scan, thus, the scanning speed is speeded up. The detailed procedures for the conventional scanning method are as follows:
[0006] Enumerating all of the files, and executing viruses and Trojans scan when performing an initial overall scan; after the initial overall scan, saving the scan results in the database file, and writes validation attributes and file attributes into the database file. When the user selects an overall scan next time, if enumerating a file, firstly checking whether the file that within the database already exists in the scan results of the file is located above the path, then executing the file scanning operation if no results, obtaining current attributes (mainly modification time, file size, etc.) of the file if the result is attained, and compared with the previous writing file attributes to verify whether the file is changed by comparing; If the file is changed, determining the results of the database file does not belong to the file, and performing the scanning operation on the file. If the verification is passed, confirming that the results of the database file belong to the file, and using the result of the database file as the scan results of the file, thereby omitting the file scanning operation, thus an efficient scanning can be realized.
[0007] However, in the above solution, a file scanning operation is omitted during subsequent scan operation, and the above verification is also easy to bypass in order to scan quickly, so it will provide a lot of attacking opportunities for virus because the virus can invade system as long as it can pass the verification, thus, the security is poor. Accordingly, it would be advantageous to provide a method that accelerates anti-virus scanning without compromising the full protection of the system from Trojan or other malicious software.
SUMMARY OF THE DISCLOSURE
[0008] In one aspect of the present disclosure, methods for accelerating anti-virus scanning are provided. The methods include recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed by a computing device having a processor; and selectively scanning files in the file system that were identified as modified based on the recorded information. The methods can further include selectively skipping scanning directories that were identified as not modified based on the recorded information, wherein the recorded information further includes changes made to directories which include the selected set of files in real time. [0009] For directories that were identified as modified based on the recorded information, the methods can further include selectively skipping scanning files that were identified as not modified under the directories based on the recorded information. The information about changes made to the selected set of files in the file system in real time as a result of an I/O operation having been processed can be recorded by a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system. The methods may also include a step of determining a file as modified if the processed I/O operation involves a write or modify operation. In addition, the methods can include updating scan results to the log file after a scan was performed on the set of files that were identified as modified.
[0010] In another aspect of the present disclosure, devices for accelerating anti-virus scanning are provided. The device includes at least a processor with circuitry operating in conjunction with at least a memory which stores instruction codes operable as a plurality of modules. The plurality of modules include a monitor unit which monitors changes made to a selected set of files in real time as a result of an I/O operation having been processed; a recording unit which records information about changes made to the selected set of files in real time; and a scanning control unit which selectively scans files in the file system that were identified as modified based on the recorded information.
[0011 ] In another aspect of the present disclosure, a non-transitory computer-readable storage medium is provided. The non-transitory computer-readable storage medium includes a set of instructions for accelerating anti-virus scanning. The set of instructions direct at least one processor to perform acts of: recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; and selectively scanning files in the file system that were identified as modified based on the recorded information.
[0012] Other features and advantages will be, or will become, apparent to one skilled in the art upon examination of the following figures and detailed description. It is intended that all such additional features and advantages included within this description be within the scope of the claims, and be protected by the following claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0013] The accompanying drawings are included to provide a further understanding of the claims, are incorporated in, and constitute a part of this specification. The detailed description and illustrated embodiments described serve to explain the principles defined by the claims. Apparently, the drawings described below only are certain embodiments of the present disclosure, the skilled in the art can obtain other drawings based on these drawings without creative work.
[0014] Fig. 1 is a flowchart of a method according to one embodiment of the present disclosure;
[0015] Fig. 2 is a flowchart of a method according to another embodiment of the present disclosure;
[0016] Fig. 3 is a flowchart of a method according to another embodiment of the present disclosure;
[0017] Fig. 4 is a structural block diagram of an exemplary embodiment of a device of the present disclosure;
[0018] Fig. 5 is a structural block diagram of another exemplary embodiment of a device of the present disclosure;
[0019] Fig. 6 is a structural block diagram of another exemplary embodiment of a device of the present disclosure; and
[0020] Fig. 7 is a structural block diagram of another exemplary embodiment of a device of the present disclosure.
DETAILED DESCRIPTION OF THE EMBODIMENTS [0021 ] The various embodiments of the present disclosure are further described in details in combination with accompanying drawings and embodiments below. Like numbered elements in the same or different drawings perform equivalent functions. It should be understood that the specific embodiments described here are used only to explain the present disclosure, and are not intended to limit the present disclosure.
[0022] When describing a particular example, the example may include a particular feature, structure, or characteristic, but every example may not necessarily include the particular feature, structure or characteristic. This should not be taken as a suggestion or implication that the features, structure or characteristics of two or more examples, or aspects of the examples, should not or could not be combined, except when such a combination is explicitly excluded.
[0023] For purposes of the present disclosure, a virus may include programs, such as, for example, a destructive program that is disguised as a benign program (i.e. a Trojan Horse), a program that covertly performs an operation without the user's consent or knowledge (e.g. spyware), or other unfriendly or malicious programs.
[0024] In some embodiments, the present disclosure discloses a method for accelerating antivirus scanning, as shown in Fig. 1, the method includes the following steps:
[0025] Step 101: recording, by a computing device having a processor, information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed;
[0026] The file real-time monitoring can be realized according to a file system filter driver that provided by the operating system. The file system filter driver can intercept all of the file input/output (I/O) operations information and detect changes to certain files by monitoring the I/O operations. If an application tries to perform an operation which writes to the file, such as changing the contents of the file and the like, the file filter drivers are capable of capturing and recording. Thus, relying on the real-time monitoring technology to files, the modification of the arbitrary file within the system can be completely monitored. The information about changes made to files in the file system can be recorded into a log file. In some embodiments, the information can also be recorded into a database. For the purpose of this disclosure, the term "log file" and "database" are used herein interchangeably.
[0027] Alternatively, in the above-mentioned step 101 of some embodiments, determining that a file is to be changed by file real-time monitoring comprises: determining the classification of file operation event after file operation event is captured by file real-time monitoring, if the classification is an event of file change, determining the file that the operation event pointing to is changed. In some embodiments, if the processed I/O operation involves a write or modify operation on a file, then the file is identified as modified. The follow-up embodiment will give a more detailed explanation about this step.
[0028] In some embodiments, because the number of files in the system is relatively large, maybe it is a large burden to the memory and the disk of file that fully record the all changed information. Therefore, the present disclosure provides a solution that only needs to record the information about directories under which files have been changed or modified, but not necessary to record all the changed information of files. An exemplary solution is as follows: recording the information about changes made to files in the file system into a database or a log file comprises: recording the information about the directories or sub-directories where the changed file is located into a database or a log file.
[0029] In this way, the amount of changed information of directory is not very large, so the information about the directories under which a file has been changed can be fully recorded. In addition, recording the changed information in terms of "directory" as a unit is better than recording the changed information in terms of "file", because during the scanning process, the enumeration disk also has overhead loss, the entire directory can be skipped if a directory is not changed, thus reducing the enumeration overhead of internal directory, as well as the subsequent overhead of determining whether there is a change. Therefore, the scan time will be much shorter.
In some embodiments, when scanning a changed directory, the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes. Thus, the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
[0030] Furthermore, the embodiments of the present disclosure also provide another solution to provide a higher accuracy of the results of the scan, as follows: based on the method of recording the change of the directories in the file system, the method for accelerating anti-virus scanning in the present disclosure can also include recording the information about changes made to files within the changed directories or changed sub-directories into a database or a log file.
[0031 ] Thus, the embodiments according to present disclosure can not only record and monitor the information about directories in which files have been changed in real-time, but also monitor and record information about changes made to files. In some embodiments, the method for accelerating anti-virus scanning in the present disclosure can also include the following steps. Firstly, enumerating directories as doing the operation of enumeration, skipping the enumerated directory if the directory has not been changed, enumerating the files within the enumerated directory after determining the directory has been changed. By doing this, the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
[0032] Step 102: selectively scanning files in the file system that were identified as modified based on the recorded information. In some embodiments, this step involves enumerating files after the scanning is started, if the enumerated file is determined to be modified according to the recorded information in the database or log file, executing the scanning operation to the enumerated file, otherwise, skipping the scan for the enumerated file.
[0033] The embodiments according to the present disclosure can thus monitor and record precisely information about changes made to files in in real time as a result of an I/O operation having been processed, and skipped the scanning for those unchanged files, while not exposing to the risk of being bypassed by viruses or Trojan programs. Therefore, the present disclosure provides a safe and efficient scanning solution with a higher scanning speed.
[0034] In some embodiments, if the step of recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed includes: recording information about directories under which files have been changed or modified, then the step of 102, i.e. selectively scanning files in the file system that were identified as modified based on the recorded information, further includes: :
[0035] after scanning is started, enumerating the file directory, if the enumerated file directory is determined to be changed according to recorded information in the file or in the database, carrying out scanning operation to the file within the enumerated file directory, and otherwise, skipping the scanning operation to the enumerated file directory.
[0036] In some embodiments, if a directory is identified as modified based on the recorded information, after the enumerated file directory is determined to be changed according to the database, the method for accelerating anti-virus scanning further comprises: enumerating the files within the enumerated file directory, if the enumerated file is determined to be changed according to the recorded information, carrying out scanning operation to the enumerated files; otherwise, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
[0037] Prior to Step 101, if an initial scan has been performed, then in some embodiments, the method may also include: saving the scan results of an initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
[0038] It should be noted that whether an initial scan has been executed is not a requirement for the present disclosure. If there is no initial scan or initial scan results, the methods provided in the present disclosure will skip the scan operation to those unchanged files according to the recorded information, but there will be no scanning results for those skipped files. If a scan result is needed for those skipped files, in some embodiments, the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
[0039] The present disclosure also provides an embodiment to update the results file or results database. To keep the result data in the result database updated and accurate, in some embodiments, the method for accelerating anti-virus scanning can further include the following step: after carrying out scanning operation to the enumerated file or the enumerated file directory further comprises: updating the scanning results into the result database or the log file after a scan was performed on the files that were identified as modified.
[0040] According to these embodiments of the disclosure, it can keep the result date within the result database update and accurate, thereby offering a basis for providing accurate and comprehensive scan results to the user.
[0041 ] The present disclosure relies on real-time file monitoring technology. The file real-time monitoring can be realized according to a file system filter driver that provided by the operating system. The file system filter driver can intercept all of the file input/output (I/O) operations information and detect changes to certain files and directories by monitoring the I/O operations. If an application tries to perform an operation which writes or modifies the file, such as changing the contents of the file and the like, the file filter drivers are capable of intercepting the I/O requests and recording/logging the operation. Thus, with the real-time monitoring technology on files, the modification of a file or the directory which contains the file in the file system can be completely monitored. The information about changes made to the files and directories in the system in real time can thus be recorded into a log file or a database. In some embodiments, the database or log file which records changed information can generally be recorded in the local disk by the form of a list of records.
[0042] The above embodiments maintain the database of lists of local disk file directory changes by real-time monitoring. After a user selects an overall scan, during the overall scan process, once the enumerated directory is not found in the above mentioned lists of file directory changes, scan of this directory will be skipped, and the previous scan results for this directory will be used. In the case that merely changed directories were recorded, but not the scan results of all files in a directory, only the directories that have been scanned and no risk of malicious program has been detected will be skipped. Since most directories will be safe in most application scenarios, thus in an overall scan, only those changed directories need to be scanned. For those changed directories, the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes. Thus only a few files need to be scanned, which can reduce the scan time to a very low value.
[0043] The inventors did some actual test according to some embodiments of the present disclosure. The inventors obtained some comparative results of the scan data using a common scanning method (i.e., simple scanning without any speed acceleration), an accelerated scanning with the conventional acceleration method, and an accelerated scanning using the embodiment
Figure imgf000011_0001
method of the present disclosure. The data are obtained by testing in the same computer, and all scans are all firstly performed in a new environment, and again after being used one day by computers and users. The system used in the test environment is Windows xp sp3, 1 GB for physical memory, single core for CPU (Central Processing Unit). The comparative data are shown in Table 1.
[0044] Table 1 : Comparative data of three scanning methods Common
scanning 746s / 53594 53594 /
Accelerated
scanning using
conventional 541s 27.48% 53594 42312 21.05% acceleration
method
Accelerated
scanning using
present 189s 74.66% 53594 9457 82.35% disclosure
[0045] As shown in table 1, without acceleration solution, in each scanning, 53594 files need to be scanned, which is the number of all the files in a system. After using the accelerated scanning with the conventional acceleration method, only 42312 files out of the 53594 files were actually scanned, which reduced the scanning file numbers by 21.05%, and the scanning time by 27.48%. With the accelerated scanning using the embodiment method of the present disclosure, only 9457 files were actually scanned, which reduced the scanning file number w by 82.35%, and the scanning time by 74.66%. Compared to the prior art, the present exemplary embodiment has an obvious accelerating effect and largely shorted scanning time.
[0046] In some embodiments, an exemplary embodiment can include two main functional parts: 1) maintaining database that records system file directory changes by real-time monitoring; 2) speeding up overall scan.
[0047] Therein, steps of maintaining database that records system file directory changes by real-time monitoring can be illustrated with reference to Fig. 3, which include:
[0048] Step 201 : a file operation event occurs in a system;
[0049] Step 202: capturing the operation event by real-time file monitoring;
[0050] Step 203: determining whether the captured operation event involves a write or modify operation to a file, if yes, go to step 205, otherwise, go to step 204; [0051 ] Step 204: Executing the operation event without recording, and returning to 201 ;
[0052] Step 205: Executing the operation event, recording the directory under which a file is changed by the operation event to a local database which keeps file directory changes, and returning to Step 201.
[0053] It should be apparent to those skilled in the art that the local database which keeps file directory changes will be continuously updated as the real-time monitoring continues.
[0054] In some embodiments, as shown in Fig. 4, a full disk scanning with the acceleration method provided herein may include:
[0055] Step 301 : receiving a full scan operation selected by a user;
[0056] Step 302: starting scanning and enumerating the directories in the disk;
[0057] Step 303: after enumerating a directory, querying the file directory changes in a local database, if no changes found for the enumerated directory, entering 304; otherwise entering 305;
[0058] Step 304: if the enumerated directory is determined to be not changed, selectively skipping scanning the enumerated directory, and returning to 302;
[0059] Step 305: if the enumerated directory is determined to be changed, executing scanning operation to the enumerated directory, and returning to 302.
[0060] It should be apparent to those skilled in the art that Step 302 to Step 305 can be executed repeatedly until all directories are enumerated, then exiting the overall scan process.
[0061 ] In another aspect of the present disclosure, as shown in Fig. 5, a device for accelerating anti-virus scanning can include a monitoring unit 401 which monitors changes made to a selected set of files in real time as a result of an I/O operation having been processed; a recording unit 402 which records information about changes made to the selected set of files in real time to a database monitored by the monitoring unit 401 ; and a scanning control unit 403 which selectively scans files in the file system that were identified as modified based on the recorded information in the database. [0062] The above embodiments herein can thus monitor and record precisely information about changes made to files as a result of real time monitoring, and safely skipped the scanning for those unchanged files, while not exposing to the risk of being bypassed by some malicious programs which happens often in conventional acceleration method due to the fact that lightweight detection is used in the conventional acceleration method. Therefore, the present disclosure provides a safe and efficient scanning solution with a higher scanning speed.
[0063] In some embodiments, because the number of files in the system is relatively large, maybe it is a large burden to the memory and the disk of file that fully record the all changed information. Therefore, the present disclosure provides a solution that only needs to record the information about directories under which files have been changed or modified, but not necessary to record all the changed information of files. An exemplary embodiment of the device according to the present disclosure can include the recording unit 402, which records information about changes made to directories under which one of the selected files was changed to a database or a log file in real time monitored by the monitoring unit 401 ; and the scanning control unit 403 which selectively skips scanning files that were identified as not modified under the directories based on the recorded information.
[0064] As an example, the above-mentioned scanning control unit 403 can enumerate a file directory after the scanning is started. If the enumerated file directory is determined to be changed according to the database, the scanning operation will be executed to the enumerated file directory, otherwise the scanning operation to the enumerated file directory will be skipped.
[0065] In this way, the amount of changed information of directory is not very large, so the information about the directories under which a file has been changed can be fully recorded. In addition, recording the changed information in terms of "directory" as a unit is better than recording the changed information in terms of "file", because during the scanning process, the enumeration disk also has overhead loss, the entire directory can be skipped if a directory is not changed, thus reducing the enumeration overhead of internal directory, as well as the subsequent overhead of determining whether there is a change. Therefore, the scan time will be much shorter. In some embodiments, when scanning a changed directory, the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes. Thus, the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
[0066] In some embodiments, the present disclosure provides another solution that provides higher accuracy of scanning results as well. The exemplary embodiment of the device according to the present disclosure can include: the recording unit 402, which records information about changes made to directories under which one of the selected files was changed to a database or a log file in real time monitored by the monitoring unit 401 ; the scanning control unit 403 mentioned above, which can also enumerate files in the enumerated file directory after the directory has been determined to be changed, and skip the enumerated directory if the directory has not been changed.
[0067] By doing this, the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
[0068] In some embodiments, the monitoring unit 401 can also be configured to determine a file as modified if the captured processed I/O operation in real time involves a write or modify operation. If the operation on a file is determined to involving a write or modify operation, it can be determined that the file on which the operation is executed has been modified.
[0069] In some embodiments, as shown in Fig. 6, if prior to Step 101, an initial scan has been performed, the device herein may further comprise: a memory unit 501 which saves the scan results of an initial scanning into the result database, and a result reading unit 502 which reads the saved results of the enumerated file from the result database to the memory unit 501 if a scanning operation has been skipped for the enumerated file. [0070] It should be noted that whether an initial scan has been executed is not a requirement for the present disclosure. If there is no initial scan or initial scan results, the methods provided in the present disclosure will skip the scan operation to those unchanged files according to the recorded information, but there will be no scanning results for those skipped files. If a scan result is needed for those skipped files, in some embodiments, the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
[0071 ] The present disclosure also provides a device which can update the results file or results database. As shown in Fig. 7, the above-mentioned exemplary device may further comprise: a data updating unit 601 which can update the scanning results into the result database after the scanning control unit 403 executes scanning operation to the enumerated file or enumerated file directory.
[0072] By using solution of the embodiment of the present disclosure, the result data in the result database can be made stay accurate, so as to provide basis for providing users with accurate and comprehensive scanning results.
[0073] Another embodiment provided by the present disclosure is shown in Fig. 7. To simplify the illustration, only some relevant portions associated with the present embodiment are shown, other details not shown in Fig. 7 can be referred to the embodiments described above. Specifically, in some embodiments, the device can be any terminal unit such as a mobile phone, a Tablet PC, a PDA (Personal Digital Assistant), a POS (Point of Sales), or a vehicle-mounted computer. The following is an example of a mobile phone according to one embodiment of the present disclosure.
[0074] Fig. 7 is a partially schematic block diagram of a mobile phone according to one embodiment of the present disclosure. In this exemplary embodiment, the mobile phone includes a radio frequency (RF) circuit 710, a memory 720, an input unit 730, a display unit 740, a sensor 750, an audio circuit 760, a wireless fidelity (WiFi) module 770, a processor 780, and a power 790, etc. It should be apparent to those skilled in the art that, the components of the mobile phone illustrated in Fig. 7 should not be limited to those shown in the figure, and some components can be added or omitted, or some combinations or arrangement can be included.
[0075] The following is a detailed description of the structure of the mobile phone with reference to Fig. 7.
[0076] In some embodiments, the RF circuit 710 is configured to receive and send signals during calling or process of receiving and sending message. Specially, the RF circuit 710 will receive downlink information from the base station and send it to the processor 780; or send uplink data to the base station. Generally, the RF circuit 710 may include, but not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a diplexer, and the like. In addition, the RF circuit 70 can communicate with network or other devices by wireless communication. Such wireless communication can use any one communication standard or protocol, which may include, but not limited to, Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, or Short Messaging Service (SMS).
[0077] In some embodiments, the memory 720 is configured to store software programs and modules which are run by the processor 780 to perform multiple functional applications of the mobile phone and data processing. The memory 720 mainly includes storing program area and storing data area. Specifically, in some embodiments, the storing program area can store the operating system, at least one application program with required function (such as sound playing function, image playing function, etc.). The storing data area can store data established by mobile phone according to actual use need (such as audio data, phonebook, etc.) Furthermore, in some embodiments, the memory 720 can be high-speed random access memory, or nonvolatile memory, such as disk storage, flash memory device, or other volatile solid-state memory devices.
[0078] In some embodiments, the input unit 730 can receive the entered number or character information, and the entered key signal related to user setting and function control of the mobile phone 700. Specifically, in some embodiments, the input unit 730 can include a touch panel 731 or other input devices 732. The touch panel 731, also called as a touch screen, can collect user's touch operations thereon or nearby (for example the operations generated by fingers of user or touchpen, and the like, touching on the touch panel 731 or touching near the touch panel 731), and drive the corresponding connection device according to the preset program. In some embodiments, the touch panel 731 may include two portions including a touch detection device and a touch controller. Specifically, in some embodiments, the touch detection device can detect the touch position of the user and signals accordingly, and then send the signals to the touch controller. Subsequently, the touch controller may receive touch information from the touch detection device, and convert it to contact coordinates which are to be sent to the processor 780, and then receive command sent by the processor 780 to perform. In addition, besides the touch panel 731, the input unit 730 can include, but not limited to, other input devices 732, such as one or more selected from physical keyboard, function keys (such as volume control keys, switch key-press, etc.), a trackball, a mouse, and an operating lever, etc..
[0079] In some embodiments, the display unit 740 can display information entered by the user or information supplied to the user, and menus of the mobile phone. For example, the display unit 740 may include a display panel 741, such as a Liquid Crystal Display (LCD), or an Organic Light- Emitting Diode (OLED). Furthermore, in some embodiments, the display panel 741 can be covered by the touch panel 731 , after touch operations are detected on or near the touch panel 731 , they will be sent to the processor 780 to determine the type of the touching event. Subsequently, the processor 780 can supply the corresponding visual output to the display panel 741 according to the type of the touching event. As shown in Fig. 7, the touch panel 731 and the display panel 741 are two individual components to implement input and output of the mobile phone, but in some embodiments, they can be integrated together to implement the input and output in some embodiments.
[0080] Furthermore, in some embodiments, the mobile phone 700 includes at least one sensor 750, such as light sensors, motion sensors, or other sensors known in the art. Specifically, in some embodiments, the light sensors can include ambient light sensors which can adjust brightness of the display panel 741 according to the ambient light, and proximity sensors which can turn off the display panel 741 and/or maintain backlight when the mobile phone is placed near the ear side. Accelerometer sensor as one of the motion sensors can detect the magnitude of accelerations in every direction (Triaxial, generally), and detect the magnitude and direction of gravity in an immobile status, which is applicable to applications of identifying attitudes of the mobile (such as switching between horizontal and vertical screens, related games, magnetometer attitude calibration, etc.), vibration recognition related functions (such as pedometer, percussion, etc.). And the mobile phone 700 also can configure other sensors (such as gyroscopes, barometers, hygrometers, thermometers, infrared sensors, etc.) whose detailed descriptions are omitted here.
[0081 ] In some embodiments, the audio circuit 760, the speaker 761 and the microphone 762 supply an audio interface between the user and the mobile phone. Specifically, in some embodiments, the audio data is received and converted to electrical signals by audio circuit 760, and then transmitted to the speaker 761, which are converted to sound signal to output. Meanwhile, the sound signal collected by the speaker is then converted to electrical signals which will be received and converted to audio data. Subsequently, the audio data are output to the processor 780 to process, and then sent to another mobile phone via the RF circuit 710, or sent to the memory 720 to process further.
[0082] WiFi pertains to short-range wireless transmission technology providing a wireless broadband Internet, by which the mobile phone can help the user to receive and send email, browse web, and access streaming media, etc. Although the WiFi module 770 is illustrated in Fig. 7, it should be apparent to those skilled in the art that, WiFi module 770 is not a necessary for the mobile phone, which can be omitted according the actual demand without changing the essence of the present disclosure.
[0083] In some embodiments, the processor 780 can be a control center of the mobile phone, which connects with every part of the mobile phone by various interfaces or circuits, and performs various functions and processes data by running or performing software program/module stored in the memory 720 or calling data stored in the memory 720, so as to monitor the mobile phone. In some embodiments, the processor 780 may include one or more processing units. Preferably, the processor 780 can integrate with application processors and modem processors, for example, the application processors include processing operating system, user interface and applications, etc.; the modern processors are used for performing wireless communication. It can be understood that, it's an option to integrate the modern processors to the processor 780.
[0084] Furthermore, in some embodiments, the mobile phone 700 may include a power supply (such as battery) supplying power for each component, preferably, the power supply can connect with the processor 780 by power management system, so as to manage charging, discharging and power consuming.
[0085] In addition, in some embodiments, the mobile phone 700 may include a camera, and a Bluetooth module, etc., which are not illustrated.
[0086] In some embodiments, the processor 780 in the terminal may include the following functions: recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; after a file is determined to be changed by file real-time monitoring, and after scanning being started, enumerating files; if the enumerated file is determined to be changed according to the recorded database, executing scanning operation to the enumerated file; otherwise, skipping the scanning operation to the enumerated file.
[0087] In some embodiments, a real time file monitor as a result of an I/O operation having been processed can be performed by a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system. A file filter driver is able to intercept all file I/O requests and monitor the operations to detect changes made to files. If there is an operation of changing file content, such as attempting to write into the file, by certain application programs, a file filter driver is able to capture and record. Thus by file real-time monitoring, any file modification in system can be monitored entirely.
[0088] In some embodiments, recording the information about changes made to files in the file system into a database or a log file in real time may comprise: after a file operation event is captured by a real-time file monitor, determining whether the captured operation event involves a write or modify operation to a file, if yes, the classification of the operation is a file change event, and the file is determined to be changed. Subsequent embodiment will provide more detailed explanation to this issue.
[0089] In some embodiments, because the number of files in the system is relatively large, maybe it is a large burden to the memory and the disk of file that fully record the all changed information. Therefore, the present disclosure provides a solution that only needs to record the information about directories under which files have been changed or modified, but not necessary to record all the changed information of files. An exemplary solution is as follows: recording the information about changes made to files in the file system into a database or a log file comprises: recording the information about the directories or sub-directories where the changed file is located into a database or a log file.
[0090] In this way, the amount of changed information of directory is not very large, so the information about the directories under which a file has been changed can be fully recorded. In addition, recording the changed information in terms of "directory" as a unit is better than recording the changed information in terms of "file", because during the scanning process, the enumeration disk also has overhead loss, the entire directory can be skipped if a directory is not changed, thus reducing the enumeration overhead of internal directory, as well as the subsequent overhead of determining whether there is a change. Therefore, the scan time will be much shorter.
In some embodiments, when scanning a changed directory, the method disclosed by the conventional methods can also be used in combination with the method in the present disclosure, i.e. scanning the files by checking the change of file attributes first and scanning those files with changed filed attributes. Thus, the conventional method of file attributes calibration can be used in combination with the present method, to reach a better result of a scan time, reducing the memory overhead and the disk space overhead, and having a lower resource used in various aspects.
[0091 ] Furthermore, the embodiments of the present disclosure also provide another solution to provide a higher accuracy of the results of the scan, as follows: based on the method of recording the change of the directories in the file system, the method for accelerating anti-virus scanning in the present disclosure can also include recording the information about changes made to files within the changed directories or changed sub-directories into a database or a log file.
[0092] Thus, the embodiments according to present disclosure can not only record and monitor the information about directories in which files have been changed in real-time, but also monitor and record information about changes made to files. In some embodiments, the method for accelerating anti-virus scanning in the present disclosure can also include the following steps. Firstly, enumerating directories as doing the operation of enumeration, skipping the enumerated directory if the directory has not been changed, enumerating the files within the enumerated directory after determining the directory has been changed. By doing this, the method in the present disclosure can ensure the accuracy of the scan results and there will not be any security risk due to the simple calibration solution in the conventional method.
[0093] In some embodiments, if the step of recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed includes: recording information about directories under which files have been changed or modified, then the step of selectively scanning files in the file system that were identified as modified based on the recorded information, further includes: :
[0094] after scanning is started, enumerating the file directory, if the enumerated file directory is determined to be changed according to recorded information in the file or in the database, carrying out scanning operation to the file within the enumerated file directory, and otherwise, skipping the scanning operation to the enumerated file directory.
[0095] In some embodiments, if a directory is identified as modified based on the recorded information, after the enumerated file directory is determined to be changed according to the database, the method for accelerating anti- virus scanning further comprises: enumerating the files within the enumerated file directory, if the enumerated file is determined to be changed according to the recorded information, carrying out scanning operation to the enumerated files; otherwise, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
[0096] If an initial scan has been performed, then in some embodiments, the method may also include: saving the scan results of an initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
[0097] It should be noted that whether an initial scan has been executed is not a requirement for the present disclosure. If there is no initial scan or initial scan results, the methods provided in the present disclosure will skip the scan operation to those unchanged files according to the recorded information, but there will be no scanning results for those skipped files. If a scan result is needed for those skipped files, in some embodiments, the method for accelerating anti-virus scanning may further include: performing an initial scan and saving the scan results of the initial scanning into the result database; reading the saved results of the enumerated file from the result database if a scanning operation has been skipped for the enumerated file.
[0098] The present disclosure also provides an embodiment to update the results file or results database. To keep the result data in the result database updated and accurate, in some embodiments, the method for accelerating anti-virus scanning can further include the following step: after carrying out scanning operation to the enumerated file or the enumerated file directory further comprises: updating the scanning results into the result database or the log file after a scan was performed on the files that were identified as modified.
[0099] While the present disclosure has been described in connection with what are presently considered to be exemplary embodiments, it is to be understood that the present disclosure is not to be limited to the disclosed embodiments, but on the contrary, is intended to cover various modifications and equivalent arrangements which can be thought of easily by one skilled in the art and are comprised within the spirit and protection scope of the present disclosure. Thus, the protection scope of the present disclosure is subject to what is claimed. It should also be noted that, the device in the embodiments mentioned above divides into multiple units according to function logic, which is not limited however, and it is viable if only the corresponding functions can be performed. In addition, the designation for every unit is just for distinguishing each other, which is not limited here.
[00100] Moreover, it's understood for person skilled in the art to accomplish part of or whole steps in the embodiment mentioned above by instructing the related hardware with program. Such program can be stored in a computer-readable storage medium such as read-only memory, magnetic or optical disk, etc.
[00101 ] Reference throughout this specification to "one embodiment," "an embodiment," "example embodiment," or the like in the singular or plural means that one or more particular features, structures, or characteristics described in connection with an embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment," "in an example embodiment," or the like in the singular or plural in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
[00102] The foregoing description, for purpose of explanation, has been described with reference to specific embodiments. However, the illustrative discussions above are not intended to be exhaustive or to limit the disclosure to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the disclosure and its practical applications, to thereby enable others skilled in the art to best utilize the disclosure and various embodiments with various modifications as are suited to the particular use contemplated. [00103] Disclosed above are only embodiments of the present disclosure and these embodiments are not intended to be limiting the scope of the present disclosure, hence any equivalent variations made based on the prospectus and accompanying drawings of the present disclosure, or any direct or indirect use based thereon in other related fields shall fall within the scope of the present disclosure.

Claims

CLAIMS What is claimed is:
1. A method for accelerating anti-virus scanning, comprising: recording, by a computing device having a processor, information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; and selectively scanning files in the file system that were identified as modified based on the recorded information.
2. The method according to claim 1, wherein the recorded information further comprises changes made to directories which include the selected set of files in real time, the method further comprises: selectively skipping scanning directories that were identified as not modified based on the recorded information.
3. The method according to claim 2, further comprising: for directories that were identified as modified based on the recorded information, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
4. The method according to claims 1 , wherein the step of recording information about changes made to the selected set of files in the file system in real time as a result of an I/O operation having been processed is performed by a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system.
5. The method according to any one of claims 1 to 4, wherein the step of recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed further comprises:
determining a file as modified if the processed I/O operation involves a write or modify operation.
6. The method according to any one of claims 1 to 5, further comprising:
saving scan results of a previous scan to a log file; and
if a scan for a set of files is skipped wherein the set of files were identified as not modified, reading the saved scan results for the corresponding set of files from the log file.
7. The method according to claim 6, further comprising:
updating scan results to the log file after a scan was performed on the set of files that were identified as modified.
8. A device for accelerating anti-virus scanning, comprising at least a processor with circuitry operating in conjunction with at least a memory which stores instruction codes operable as a plurality of modules, wherein the plurality of modules comprising: a monitor unit configured to monitor changes made to a selected set of files in real time as a result of an I/O operation having been processed;
a recording unit configured to record information about changes made to the selected set of files in real time; and
a scanning control unit configured to selectively scan files in the file system that were identified as modified based on the recorded information.
9. The device according to claim 8, wherein the recording unit is further configured to record information about changes made to directories which include the selected set of files in real time; and
the scanning control unit is further configured to selectively skip scanning directories that were identified as not modified based on the recorded information.
10. The device according to claim 9, wherein for directories that were identified as modified based on the recorded information, the scanning control unit is further configured to selectively skip scanning files that were identified as not modified under the directories based on the recorded information.
11. The device according to any one of claims 8 to 10, wherein the monitor unit further comprises a file system filter driver configured to receive a notification when the I/O operation results in a change to the selected set of files in the file system, and the monitor unit is configured to monitor changes made to a selected set of files in real time by the file system filter driver.
12. The device according to any one of claims 8 to claim 11, wherein the monitor unit is further configured to identify a file as modified if the processed I/O operation involves a write or modify operation.
13. The device according to any one of claims 8 to 12, wherein the plurality of modules further comprising:
a memory unit configured to save scan results of a previous scan to a log file; and a result reading unit configured to read the saved scan results for a set of files from the log file, if a scan for the corresponding set of files is skipped wherein the set of files were identified as not modified.
14. The device according to claim 13, wherein the plurality of modules further comprising: a data updating unit configured to updating scan results to the log file after the scanning control unit performed a scan.
15. A non-transitory computer-readable storage medium comprising a set of instructions for accelerating anti-virus scanning, the set of instructions to direct at least one processor to perform acts of: recording information about changes made to a selected set of files in a file system in real time as a result of an I/O operation having been processed; and
selectively scanning files in the file system that were identified as modified based on the recorded information.
16. The non-transitory computer-readable storage medium according to claim 15, wherein the set of instructions, when executed, further cause the processor to perform the act of:
selectively skipping scanning directories that were identified as not modified based on the recorded information, wherein the recorded information further comprises changes made to directories which include the selected set of files in real time.
17. The non-transitory computer-readable storage medium according to claim 16, wherein the set of instructions, when executed, further cause the processor to perform the act of:
for directories that were identified as modified based on the recorded information, selectively skipping scanning files that were identified as not modified under the directories based on the recorded information.
18. The non-transitory computer-readable storage medium according to claim 15, wherein the set of instructions, when executed, further cause the processor to perform the act of:
saving scan results of a previous scan to a log file; and
if a scan for a set of files is skipped wherein the set of files were identified as not modified, reading the saved scan results for the corresponding set of files from the log file.
19. The non-transitory computer-readable storage medium according to claim 15, wherein the set of instructions, when executed, further cause the processor to perform the act of:
updating scan results to the log file after a scan was performed on the set of files that were identified as modified.
PCT/CN2014/083171 2013-07-29 2014-07-28 Method and device for accelerating anti-virus scanning cross-reference to related applications WO2015014259A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310323071.0A CN103336925B (en) 2013-07-29 2013-07-29 A kind of method and apparatus scanning acceleration
CN201310323071.0 2013-07-29

Publications (2)

Publication Number Publication Date
WO2015014259A1 true WO2015014259A1 (en) 2015-02-05
WO2015014259A8 WO2015014259A8 (en) 2015-08-20

Family

ID=49245087

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083171 WO2015014259A1 (en) 2013-07-29 2014-07-28 Method and device for accelerating anti-virus scanning cross-reference to related applications

Country Status (2)

Country Link
CN (1) CN103336925B (en)
WO (1) WO2015014259A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210390176A1 (en) * 2018-11-19 2021-12-16 Samsung Electronics Co., Ltd. Electronic device and control method therefor

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103336925B (en) * 2013-07-29 2016-10-05 腾讯科技(深圳)有限公司 A kind of method and apparatus scanning acceleration
CN103744912A (en) * 2013-12-23 2014-04-23 乐视致新电子科技(天津)有限公司 Video file scanning method and electronic device
CN104765740B (en) * 2014-01-03 2021-10-08 腾讯科技(深圳)有限公司 File scanning control method and device
CN104182478A (en) * 2014-08-01 2014-12-03 北京华清泰和科技有限公司 Website monitoring pre-warning method
CN104699513B (en) * 2015-03-31 2018-11-09 联想(北京)有限公司 A kind of document handling method and device
CN104794180B (en) * 2015-04-09 2018-06-15 广东小天才科技有限公司 Method and device for scanning and acquiring learning data by point reader
CN104778411B (en) * 2015-04-22 2017-10-27 百度在线网络技术(北京)有限公司 Virus scan method and virus scan device
CN105426386A (en) * 2015-10-23 2016-03-23 小米科技有限责任公司 File synchronization method and apparatus, and terminal device
CN105389509A (en) * 2015-11-16 2016-03-09 北京奇虎科技有限公司 Document scanning method and apparatus
CN106909845A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 A kind of method and apparatus of program object scanning
CN105718800A (en) * 2016-01-18 2016-06-29 北京金山安全管理系统技术有限公司 Rapid virus scanning and killing method and apparatus
WO2018058517A1 (en) * 2016-09-30 2018-04-05 北京小米移动软件有限公司 Secure scanning method and apparatus, and electronic device
CN111859896B (en) * 2019-04-01 2022-11-25 长鑫存储技术有限公司 Formula document detection method and device, computer readable medium and electronic equipment
CN110766341B (en) * 2019-10-31 2020-12-01 望海康信(北京)科技股份公司 Control method and device for optimizing job scheduling, computer equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7441274B1 (en) * 2000-09-18 2008-10-21 Mcafee, Inc. Method and apparatus for minimizing file scanning by anti-virus programs
US20100138924A1 (en) * 2008-11-30 2010-06-03 Itamar Heim Accelerating the execution of anti-virus programs in a virtual machine environment
CN102609653A (en) * 2012-02-07 2012-07-25 奇智软件(北京)有限公司 File quick-scanning method and file quick-scanning system
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system
US8375451B1 (en) * 2006-06-28 2013-02-12 Emc Corporation Security for scanning objects
CN103336925A (en) * 2013-07-29 2013-10-02 腾讯科技(深圳)有限公司 Scanning acceleration method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101017522A (en) * 2006-04-14 2007-08-15 北京瑞星国际软件有限公司 Method and device for preventing mobile terminal from being infracting by virus
CN101127061B (en) * 2006-08-16 2010-05-26 珠海金山软件股份有限公司 Device preventing and treating computer virus capable of pre-estimating schedule and schedule pre-estimation method
CN100592298C (en) * 2008-05-13 2010-02-24 华为技术有限公司 File synchronisation method and device
CN103186535B (en) * 2011-12-27 2016-10-19 腾讯科技(深圳)有限公司 A kind of mobile terminal picture management method and equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7441274B1 (en) * 2000-09-18 2008-10-21 Mcafee, Inc. Method and apparatus for minimizing file scanning by anti-virus programs
US8375451B1 (en) * 2006-06-28 2013-02-12 Emc Corporation Security for scanning objects
US20100138924A1 (en) * 2008-11-30 2010-06-03 Itamar Heim Accelerating the execution of anti-virus programs in a virtual machine environment
CN102609653A (en) * 2012-02-07 2012-07-25 奇智软件(北京)有限公司 File quick-scanning method and file quick-scanning system
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system
CN103336925A (en) * 2013-07-29 2013-10-02 腾讯科技(深圳)有限公司 Scanning acceleration method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210390176A1 (en) * 2018-11-19 2021-12-16 Samsung Electronics Co., Ltd. Electronic device and control method therefor
US11809550B2 (en) * 2018-11-19 2023-11-07 Samsung Electronics Co., Ltd. Electronic device and control method therefor

Also Published As

Publication number Publication date
CN103336925B (en) 2016-10-05
WO2015014259A8 (en) 2015-08-20
CN103336925A (en) 2013-10-02

Similar Documents

Publication Publication Date Title
WO2015014259A1 (en) Method and device for accelerating anti-virus scanning cross-reference to related applications
US9800609B2 (en) Method, device and system for detecting malware in a mobile terminal
US10198573B2 (en) Method, device and computer storage medium for controlling the running of an application
US20160241589A1 (en) Method and apparatus for identifying malicious website
CN107329985B (en) Page collection method and device and mobile terminal
US11323542B2 (en) Objection blocking method, terminal, server, and storage medium
US9754113B2 (en) Method, apparatus, terminal and media for detecting document object model-based cross-site scripting attack vulnerability
US9256421B2 (en) Method, device and terminal for improving running speed of application
US20150169874A1 (en) Method, device, and system for identifying script virus
US11063962B2 (en) Malicious URL detection method and apparatus, terminal, and computer storage medium
US10956653B2 (en) Method and apparatus for displaying page and a computer storage medium
WO2015078342A1 (en) Method for acquiring memory information, and terminal
EP2979177B1 (en) Method for controlling process of application and computer system
US9588757B2 (en) Data update method, user terminal, and data update system
US10237291B2 (en) Session processing method and device, server and storage medium
WO2014173167A1 (en) Method, apparatus and system for filtering data of web page
CN109002547B (en) Log file storage method, mobile terminal and computer readable storage medium
WO2014166266A1 (en) File scanning method and system, client and server
WO2014206295A1 (en) Method, device and computer-readable storage medium for monitoring uninstallation event in operation platform
US20150089662A1 (en) Method and system for identifying file security and storage medium
WO2014183434A1 (en) Method and device for removing macro virus
EP2869233B1 (en) Method, device and terminal for protecting application program
CN106709330B (en) Method and device for recording file execution behaviors
US20160314036A1 (en) Method and Apparatus for Repairing Dynamic Link Library File
WO2014198118A1 (en) Method and device for protecting privacy information with browser

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14832016

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 14.07.2016)

122 Ep: pct application non-entry in european phase

Ref document number: 14832016

Country of ref document: EP

Kind code of ref document: A1