[go: up one dir, main page]

CN104239795A - File scanning method and device - Google Patents

File scanning method and device Download PDF

Info

Publication number
CN104239795A
CN104239795A CN201410472180.3A CN201410472180A CN104239795A CN 104239795 A CN104239795 A CN 104239795A CN 201410472180 A CN201410472180 A CN 201410472180A CN 104239795 A CN104239795 A CN 104239795A
Authority
CN
China
Prior art keywords
file
characteristic
described file
recognition result
size
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410472180.3A
Other languages
Chinese (zh)
Other versions
CN104239795B (en
Inventor
郭明强
汪俊文
曹亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201410472180.3A priority Critical patent/CN104239795B/en
Publication of CN104239795A publication Critical patent/CN104239795A/en
Application granted granted Critical
Publication of CN104239795B publication Critical patent/CN104239795B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the invention provides a file scanning method and device. According to the method provided by the embodiment of the invention, a file to be scanned is obtained, and further, the file is identified according to at least one item from the file size and the file feature data, so that identification results are obtained; the identification results include the result that the file is a trusted file, the result that the file is an untrusted file or the result that the file is an unknown file, so the unknown file can be subjected to virus scanning processing according to the identification results. Only the unknown file needs to be subjected to virus scanning processing, but not all files need to be subjected to the virus scanning processing, so the problem that more system resources of a terminal are occupied due to the virus scanning processing on each file in the prior art can be avoided, and the processing performance of the terminal is improved.

Description

The scan method of file and device
[technical field]
The present invention relates to computer technology, particularly relate to a kind of scan method and device of file.
[background technology]
The data of destruction termination function that virus is establishment or inserts in the application, its can affect application program normal use and can self-replacation, usually present with the form of one group of instruction or program code.Virus has destructiveness, replicability and communicable feature.Terminal can utilize antivirus engine to carry out virus scan process to the file that terminal stores, even if to find virus document, defend process accordingly.
But, because the quantity of documents stored in terminal is more, virus scan process is carried out to each file, the system resource that meeting occupied terminal is more, thus result in the reduction of the handling property of terminal.
[summary of the invention]
Many aspects of the present invention provide a kind of scan method and device of file, in order to improve the handling property of terminal.
An aspect of of the present present invention, provides a kind of scan method of file, comprising:
Obtain file to be scanned;
According at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file;
According to described recognition result, virus scan process is carried out to described unknown file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, and at least one item in the characteristic of the described size according to described file and described file, identifies described file, after obtaining recognition result, also comprises:
According to described recognition result, process is skipped to described trusted file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, and at least one item in the characteristic of the described size according to described file and described file, identifies described file, after obtaining recognition result, also comprises:
According to described recognition result, alarming processing is carried out to described insincere file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, described file comprises executable file or non-executable file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, and at least one item in the characteristic of the described size according to described file and described file, identifies described file, to obtain recognition result, comprising:
Obtain the size of described file;
If the match is successful for the size of described file and the size of apocrypha, obtain the characteristic of the specified portions content of described file, described apocrypha comprises at least one item in trusted file and/or insincere file;
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file;
If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, to obtain described file be trusted file or described file is the recognition result of insincere file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, and at least one item in the characteristic of the described size according to described file and described file, identifies described file, to obtain recognition result, also comprises:
If it fails to match for the size of described file and the size of apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, obtain the recognition result that described file is unknown file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, and at least one item in the characteristic of the described size according to described file and described file, identifies described file, before obtaining recognition result, also comprises:
According to the mistake warning information of arbitrary file, using described arbitrary file as described trusted file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, if the match is successful for the size of the size of described file and apocrypha, obtains the characteristic of the specified portions content of described file, comprising:
If the match is successful for the size of described file and the size of apocrypha, utilize the first hash algorithm, obtain the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
Aspect as above and arbitrary possible implementation, a kind of implementation is provided further, if the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file, comprising:
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, utilize the second hash algorithm, obtain the characteristic of the full content of described file.
Another aspect of the present invention, provides a kind of scanister of file, comprising:
Acquiring unit, for obtaining file to be scanned;
Recognition unit, for according at least one item in the size of described file and the characteristic of described file, identifies described file, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file;
Scanning element, for according to described recognition result, carries out virus scan process to described unknown file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described scanning element further, also for
According to described recognition result, process is skipped to described trusted file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described scanning element further, also for
According to described recognition result, alarming processing is carried out to described insincere file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation further, described file comprises executable file or non-executable file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described recognition unit further, specifically for
Obtain the size of described file;
If the match is successful for the size of described file and the size of apocrypha, obtain the characteristic of the specified portions content of described file, described apocrypha comprises at least one item in trusted file and/or insincere file;
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file;
If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, to obtain described file be trusted file or described file is the recognition result of insincere file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described recognition unit further, also for
If it fails to match for the size of described file and the size of apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, obtain the recognition result that described file is unknown file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described recognition unit further, also for
According to the mistake warning information of arbitrary file, using described arbitrary file as described trusted file.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described recognition unit further, specifically for
If the match is successful for the size of described file and the size of apocrypha, utilize the first hash algorithm, obtain the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
Aspect as above and arbitrary possible implementation, provide a kind of implementation, described recognition unit further, specifically for
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, utilize the second hash algorithm, obtain the characteristic of the full content of described file.
As shown from the above technical solution, the embodiment of the present invention is by obtaining file to be scanned, and then according at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result, it is trusted file that described recognition result comprises described file, described file is insincere file or described file is unknown file, make it possible to according to described recognition result, virus scan process is carried out to described unknown file, owing to only needing to carry out virus scan process to unknown file, be not that all virus scan process is carried out to any file, the problem of the system resource that the occupied terminal that causes owing to carrying out virus scan process to each file in prior art can be avoided more, thus improve the handling property of terminal.
In addition, adopt technical scheme provided by the invention, owing to only needing to carry out virus scan process to unknown file, effectively can improve the efficiency that virus identifies.
In addition, adopt technical scheme provided by the invention, by the mistake warning information according to arbitrary file, using described arbitrary file as described trusted file, to avoid follow-up continuation to carry out alarming processing to described arbitrary file, the reliability that virus identifies effectively can be improved.
[accompanying drawing explanation]
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The schematic flow sheet of the scan method of the file that Fig. 1 provides for one embodiment of the invention;
The structural representation of the scanister of the file that Fig. 2 provides for another embodiment of the present invention.
[embodiment]
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
It should be noted that, terminal involved in the embodiment of the present invention can include but not limited to mobile phone, personal digital assistant (Personal Digital Assistant, PDA), wireless handheld device, wireless Internet access basis, PC, portable computer, MP3 player, MP4 player etc.
In addition, term "and/or" herein, being only a kind of incidence relation describing affiliated partner, can there are three kinds of relations in expression, and such as, A and/or B, can represent: individualism A, exists A and B simultaneously, these three kinds of situations of individualism B.In addition, character "/" herein, general expression forward-backward correlation is to the relation liking a kind of "or".
The schematic flow sheet of the scan method of the file that Fig. 1 provides for one embodiment of the invention, as shown in Figure 1.
101, file to be scanned is obtained.
102, according at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file.
Wherein, described trusted file, refers to can be confirmed to be do not have virus document; Described insincere file, refers to and can be confirmed to be virus document; Described unknown file, refers to neither can be confirmed to be do not have virus document, can not be confirmed to be virus document again.
So-called virus document, refers to the file comprising virus.
103, according to described recognition result, virus scan process is carried out to described unknown file.
Like this, by carrying out virus scan process to unknown file, then scanning result can be obtained, and then carry out the virus defense process of being correlated with according to this scanning result, such as, to the alarming processing being identified as virus document and carrying out, or, again such as, to being identified as the clearance process etc. not having virus document to carry out, the present embodiment is not particularly limited this
Be understandable that, in 103, carry out the described unknown file of virus scan process, the file of described exactly file corresponding to this recognition result of unknown file.
Wherein, virus, is also called computer virus, can include but not limited to wooden horse, back door, LAN (Local Area Network) worm, worm mail, spyware, infection type virus or Rootkits/Bootkits.
It should be noted that, the executive agent of 101 ~ 103 can be antivirus engine, can be arranged in local client, to carry out off-line operation to remove virus, or can also be arranged in the server of network side, to carry out on-line operation to remove virus, the present embodiment does not limit this.
Be understandable that, described client can be mounted in the local program (nativeApp) in terminal, or can also be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, with provide safe system environments outwardness form can, the present embodiment does not limit this.
Like this, by obtaining file to be scanned, and then according at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result, it is trusted file that described recognition result comprises described file, described file is insincere file or described file is unknown file, make it possible to according to described recognition result, virus scan process is carried out to described unknown file, owing to only needing to carry out virus scan process to unknown file, be not that all virus scan process is carried out to any file, the problem of the system resource that the occupied terminal that causes owing to carrying out virus scan process to each file in prior art can be avoided more, thus improve the handling property of terminal.
Alternatively, in one of the present embodiment possible implementation, in 101, described file to be scanned, refers to according to sweep limit, a file in the file stored in the memory device of determined terminal.Particularly, described file to be scanned, be specifically as follows in all files stored at the memory device of terminal, according to the file that certain scanning sequency obtains successively, or can also in all files that stores under the specified path of the memory device of terminal, according to the file that certain scanning sequency obtains successively, the present embodiment is not particularly limited this.
In a concrete implementation procedure, the memory device of described terminal can memory device at a slow speed, be specifically as follows the hard disk of computer system, or can also be inoperative internal memory and the physical memory of mobile phone, such as, ROM (read-only memory) (Read-Only Memory, ROM) and RAM (random access memory) card etc., the present embodiment is not particularly limited this.
In the implementation procedure that another is concrete, the memory device of described terminal can also be speedy storage equipment, be specifically as follows the internal memory of computer system, or can also be running memory and the Installed System Memory of mobile phone, such as, random access memory (Random Access Memory, RAM) etc., the present embodiment is not particularly limited this.
Wherein, the memory device of described terminal can be hard disk, or can also be inoperative internal memory and the physical memory of mobile phone, and such as, ROM (read-only memory) (Read-Only Memory, ROM) and RAM (random access memory) card etc., the present embodiment is not particularly limited this.
Alternatively, in one of the present embodiment possible implementation, described file can be executable file (executable file).Particularly, executable file, be the file that portable can perform (PE) file layout, it can be loaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but not limited to .exe .sys and .scr, etc.
Alternatively, in one of the present embodiment possible implementation, described file can be non-executable file.Particularly, non-executable file is the alternative document except executable file.
Alternatively, in one of the present embodiment possible implementation, after 102, further according to described recognition result, process can also be skipped to described trusted file.
Be understandable that, carry out the described trusted file skipping process here, the file of described exactly file corresponding to this recognition result of trusted file.Owing to can confirm that this file is not for having virus document, therefore, without the need to carrying out virus scan process to these trusted file again, directly carrying out skipping processing, continuing execution 101, to obtain file next to be scanned.Like this, owing to only needing to carry out virus scan process to unknown file, make no longer to carry out virus scan process to trusted file, but directly carry out skipping process, effectively can improve the efficiency that virus identifies.
Alternatively, in one of the present embodiment possible implementation, after 102, further according to described recognition result, alarming processing can also be carried out to described insincere file.
Be understandable that, carry out the described insincere file of alarming processing here, the file of described exactly file corresponding to this recognition result of insincere file.Owing to can confirm that this file is virus document, therefore, without the need to carrying out virus scan process to these trusted file again, directly carrying out alarming processing, continuing execution 101, to obtain file next to be scanned.Like this, owing to only needing to carry out virus scan process to unknown file, make no longer to carry out virus scan process to insincere file, but directly perform alarming processing, effectively can improve the efficiency that virus identifies.
Alternatively, in one of the present embodiment possible implementation, in 102, the size of described file can specifically be obtained.If the match is successful for the size of described file and the size of apocrypha, then can obtain the characteristic of the specified portions content of described file further, described apocrypha comprises at least one item in trusted file and/or insincere file.If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, then can obtain the characteristic of the full content of described file further.If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, then can to obtain described file be further trusted file or described file is the recognition result of insincere file.
In a concrete implementation procedure, the characteristic of the specified portions content of described file, and the characteristic of the full content of described file, be specifically as follows static nature, so-called static nature, can be understood as based on unenforced file as basis of characterization, or can also be behavioral characteristics, so-called behavioral characteristics, can be understood as based on the file performed as basis of characterization, the present embodiment is not particularly limited this.
Particularly, specifically can utilize the first hash algorithm, such as, CRC 32 (Cyclical Redundancy Check, CRC32) algorithm, Adler32 or Message Digest 5 the 4th edition (Message Digest Algorithm4, MD4) scheduling algorithm, obtains the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
Particularly, specifically can utilize the second hash algorithm, such as, Message Digest Algorithm 5 (Message Digest Algorithm5, or Secure Hash Algorithm 256 (Secure Hash Algorithm MD5), SHA256) scheduling algorithm, obtains the characteristic of the full content of described file.
Further, if it fails to match for the size of the size of described file and apocrypha, obtain the recognition result that described file is unknown file.
Further, if it fails to match for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, the recognition result that described file is unknown file is obtained.
Further, if it fails to match for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, obtain the recognition result that described file is unknown file.
In a concrete implementation procedure, the trusted file known according to some and/or insincere file, set up a database.Specifically can utilize some existing file recognition algorithm such as, characteristic matching etc., by some files, identify trusted file or insincere file, the present embodiment is not particularly limited this.Specifically following content can be included but not limited in this database:
The type of file;
The size of file;
The characteristic of the specified portions content of file; And
The characteristic of the full content of file.
The type of described file, in order to indicate file to be trusted file or insincere file, can use 32 bit representations usually.Wherein, trusted file, refers to can be confirmed to be do not have virus document; Insincere file, refers to and can be confirmed to be virus document.Such as, 0 instruction file is trusted file, and 1 instruction file is insincere file, or, more such as, 1 instruction file is trusted file, 0 instruction file is insincere file, and the present embodiment is not particularly limited this.
It should be noted that, specifically can according to the difference of the type of file, by there is identical type file corresponding to data, form the list of a same kind file, such as, the white list that the data corresponding to trusted file are formed or the blacklist that the data corresponding to insincere file are formed.
The size of described file, in order to indicate the actual byte number had of the content of file, its value specifically can according to the maximum restriction of the size of file, and the figure place arranging different length represents, usually can use 32 bit representations.
The characteristic of the specified portions content of described file, in order to can reflect that the specified portions content of a file is different from the feature of other file, its value specifically can according to the type of the first hash algorithm, the figure place arranging different length represents, the cryptographic hash usually can calculated with 32 bit representation CRC32 algorithms.
In general, specifically can according to the digital independent of file order, and the digital independent unit of file, pre-defined described specified portions content.Such as, if the digital independent unit of file is bunch that the default size of cluster is 4K byte, and so, the specified portions content of described file then can be defined as the beginning 4K byte of file.
The characteristic of the full content of described file, in order to can reflect that the full content of a file is different from the feature of other file, can as the unique identification of file, its value specifically can according to the type of the second hash algorithm, the figure place arranging different length represents, the cryptographic hash usually can calculated with 128 bit representation MD5.
Further, if the type of file is insincere file, also need in this database to comprise Virus Name information further, such as, Virus Name length and Virus Name.
In the implementation procedure that another is concrete, specifically can utilize the size of obtained file, in the database set up in a upper concrete implementation procedure, carry out first time coupling, with the size determining described file, the match is successful with the size of included file in described database.
If the match is successful, then can utilize the characteristic of the specified portions content of obtained file further, in the database, carry out second time coupling, with the characteristic determining the specified portions content of described file, the match is successful with the characteristic of the specified portions content of included file in described database.If do not had, the match is successful, obtains the recognition result that described file is unknown file.
If the match is successful, then can utilize the characteristic of the full content of obtained file further, in the database, carry out third time coupling, with the characteristic determining the full content of described file whether with the characteristic of the full content of included file in described database.If do not had, the match is successful, obtains the recognition result that described file is unknown file.
If the match is successful, then can by the file type of the file that the match is successful, as the recognition result of described file to be scanned, namely described file is trusted file or described file is insincere file.If do not had, the match is successful, obtains the recognition result that described file is unknown file.
Be understandable that, so-called the match is successful, specifically according to the demand of coupling, can define.Particularly, can be that data to be matched are completely the same, i.e. coupling or exact matching completely, or can also be that data to be matched are basically identical, i.e. Incomplete matching or fuzzy matching, the present embodiment is not particularly limited this.
Due to some reasons, such as, the logic of virus scan process goes wrong, or, more such as, the compiling problem of file self, etc., can not be the file of virus document by some, be identified as virus document mistakenly, and then alarming processing is carried out to this file.That is, the warning information that the alarming processing of carrying out this file produces is a wrong warning information i.e. warning information by mistake.Specifically can gather so-called warning information by mistake by number of ways, such as, operating personnel manually investigate in alarm record, or, more such as, the active feedback of user, etc.For this situation, in one of the present embodiment possible implementation, before 102, can also further according to the mistake warning information of arbitrary file, using described arbitrary file as described trusted file.
Like this, by the mistake warning information according to arbitrary file, using described arbitrary file as described trusted file, to avoid follow-up continuation to carry out alarming processing to described arbitrary file, the reliability that virus identifies effectively can be improved.
In the present embodiment, by obtaining file to be scanned, and then according at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result, it is trusted file that described recognition result comprises described file, described file is insincere file or described file is unknown file, make it possible to according to described recognition result, virus scan process is carried out to described unknown file, owing to only needing to carry out virus scan process to unknown file, be not that all virus scan process is carried out to any file, the problem of the system resource that the occupied terminal that causes owing to carrying out virus scan process to each file in prior art can be avoided more, thus improve the handling property of terminal.
In addition, adopt technical scheme provided by the invention, owing to only needing to carry out virus scan process to unknown file, effectively can improve the efficiency that virus identifies.
In addition, adopt technical scheme provided by the invention, by the mistake warning information according to arbitrary file, using described arbitrary file as described trusted file, to avoid follow-up continuation to carry out alarming processing to described arbitrary file, the reliability that virus identifies effectively can be improved.
It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in instructions all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.
In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.
The structural representation of the scanister of the file that Fig. 2 provides for another embodiment of the present invention, as shown in Figure 2.The scanister of the file of the present embodiment can comprise acquiring unit 21, recognition unit 22 and scanning element 23.Wherein, acquiring unit 21, for obtaining file to be scanned; Recognition unit 22, for according at least one item in the size of described file and the characteristic of described file, identifies described file, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file; Scanning element 23, for according to described recognition result, carries out virus scan process to described unknown file.
Wherein, described trusted file, refers to can be confirmed to be do not have virus document; Described insincere file, refers to and can be confirmed to be virus document; Described unknown file, refers to neither can be confirmed to be do not have virus document, can not be confirmed to be virus document again.
It should be noted that, the scanister that the present embodiment provides can be antivirus engine, local client can be arranged in, to carry out off-line operation to remove virus, or the server of network side can also be arranged in, to carry out on-line operation to remove virus, the present embodiment does not limit this.
Be understandable that, described client can be mounted in the local program (nativeApp) in terminal, or can also be a web page program (webApp) of the browser in terminal, as long as the virus scan of file can be realized, with provide safe system environments outwardness form can, the present embodiment does not limit this.
Alternatively, in one of the present embodiment possible implementation, described scanning element 23, can also be further used for, according to described recognition result, skipping process to described trusted file.
Alternatively, in one of the present embodiment possible implementation, described scanning element 23, can also be further used for according to described recognition result, carries out alarming processing to described insincere file.
Alternatively, in one of the present embodiment possible implementation, described file can be executable file (executable file).Particularly, executable file, be the file that portable can perform (PE) file layout, it can be loaded in internal memory, and is performed by operating system loading procedure.The extension name of executable file can include but not limited to .exe .sys and .scr, etc.
Alternatively, in one of the present embodiment possible implementation, described file can be non-executable file.Particularly, non-executable file is the alternative document except executable file.
Alternatively, in one of the present embodiment possible implementation, described recognition unit 22, specifically may be used for the size obtaining described file; If the match is successful for the size of described file and the size of apocrypha, obtain the characteristic of the specified portions content of described file, described apocrypha comprises at least one item in trusted file and/or insincere file; If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file; If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, to obtain described file be trusted file or described file is the recognition result of insincere file.
In a concrete implementation procedure, the characteristic of the specified portions content of described file, and the characteristic of the full content of described file, be specifically as follows static nature.So-called static nature, can be understood as condition code based on file as the basis of characterization of file.
Particularly, described recognition unit 22, if the match is successful specifically to may be used for the size of the size of described file and apocrypha, utilize the first hash algorithm, such as, CRC 32 (Cyclical Redundancy Check, CRC32) algorithm, Adler32 or Message Digest 5 the 4th edition (Message Digest Algorithm4, MD4) etc., obtain the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
Particularly, described recognition unit 22, if the match is successful specifically to may be used for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, utilize the second hash algorithm, such as, Message Digest Algorithm 5 (Message Digest Algorithm5, MD5) or Secure Hash Algorithm 256 (Secure Hash Algorithm, SHA256) etc., the characteristic of the full content of described file is obtained.
Further, described recognition unit 22, if can also be further used for the size of the size of described file and apocrypha, it fails to match, obtains the recognition result that described file is unknown file.
Further, described recognition unit 22, if can also be further used for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, it fails to match, obtains the recognition result that described file is unknown file.
Further, described recognition unit 22, if can also be further used for the characteristic of the characteristic of the full content of described file and the full content of described apocrypha, it fails to match, obtains the recognition result that described file is unknown file.
Due to some reasons, such as, the logic of virus scan process goes wrong, or, more such as, the compiling problem of file self, etc., some can not had virus document, be identified as virus document mistakenly, and then alarming processing is carried out to this file.That is, the warning information that the alarming processing of carrying out this file produces is a wrong warning information i.e. warning information by mistake.For this situation, in one of the present embodiment possible implementation, described recognition unit 22, can also be further used for the mistake warning information according to arbitrary file, using described arbitrary file as described trusted file.
It should be noted that, method in the embodiment that Fig. 1 is corresponding, the scanister of the file that can be provided by the present embodiment realizes.Detailed description see the related content in embodiment corresponding to Fig. 1, can repeat no more herein.
In the present embodiment, file to be scanned is obtained by acquiring unit, and then by recognition unit according at least one item in the characteristic of the size of described file and described file, described file is identified, to obtain recognition result, it is trusted file that described recognition result comprises described file, described file is insincere file or described file is unknown file, make scanning element can according to described recognition result, virus scan process is carried out to described unknown file, owing to only needing to carry out virus scan process to unknown file, be not that all virus scan process is carried out to any file, the problem of the system resource that the occupied terminal that causes owing to carrying out virus scan process to each file in prior art can be avoided more, thus improve the handling property of terminal.
In addition, adopt technical scheme provided by the invention, owing to only needing to carry out virus scan process to unknown file, effectively can improve the efficiency that virus identifies.
In addition, adopt technical scheme provided by the invention, by the mistake warning information according to arbitrary file, using described arbitrary file as described trusted file, to avoid follow-up continuation to carry out alarming processing to described arbitrary file, the reliability that virus identifies effectively can be improved.
Those skilled in the art can be well understood to, and for convenience and simplicity of description, the system of foregoing description, the specific works process of equipment and unit, with reference to the corresponding process in preceding method embodiment, can not repeat them here.
In several embodiment provided by the present invention, should be understood that, disclosed system, equipment and method, can realize by another way.Such as, apparatus embodiments described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of equipment or unit or communication connection can be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form that hardware also can be adopted to add SFU software functional unit realizes.
The above-mentioned integrated unit realized with the form of SFU software functional unit, can be stored in a computer read/write memory medium.Above-mentioned SFU software functional unit is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) perform the part steps of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (read-only memory) (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (18)

1. a scan method for file, is characterized in that, comprising:
Obtain file to be scanned;
According at least one item in the size of described file and the characteristic of described file, described file is identified, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file;
According to described recognition result, virus scan process is carried out to described unknown file.
2. method according to claim 1, is characterized in that, at least one item in the characteristic of the described size according to described file and described file, identifies described file, after obtaining recognition result, also comprises:
According to described recognition result, process is skipped to described trusted file.
3. method according to claim 1, is characterized in that, at least one item in the characteristic of the described size according to described file and described file, identifies described file, after obtaining recognition result, also comprises:
According to described recognition result, alarming processing is carried out to described insincere file.
4. method according to claim 1, is characterized in that, described file comprises executable file or non-executable file.
5. the method according to the arbitrary claim of Claims 1 to 4, is characterized in that, at least one item in the characteristic of the described size according to described file and described file, identifies described file, to obtain recognition result, comprising:
Obtain the size of described file;
If the match is successful for the size of described file and the size of apocrypha, obtain the characteristic of the specified portions content of described file, described apocrypha comprises at least one item in trusted file and/or insincere file;
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file;
If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, to obtain described file be trusted file or described file is the recognition result of insincere file.
6. method according to claim 5, is characterized in that, at least one item in the characteristic of the described size according to described file and described file, identifies described file, to obtain recognition result, also comprises:
If it fails to match for the size of described file and the size of apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, obtain the recognition result that described file is unknown file.
7. method according to claim 5, is characterized in that, at least one item in the characteristic of the described size according to described file and described file, identifies described file, before obtaining recognition result, also comprises:
According to the mistake warning information of arbitrary file, using described arbitrary file as described trusted file.
8. method according to claim 5, is characterized in that, if the match is successful for the size of the size of described file and apocrypha, obtains the characteristic of the specified portions content of described file, comprising:
If the match is successful for the size of described file and the size of apocrypha, utilize the first hash algorithm, obtain the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
9. method according to claim 5, it is characterized in that, if the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file, comprising:
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, utilize the second hash algorithm, obtain the characteristic of the full content of described file.
10. a scanister for file, is characterized in that, comprising:
Acquiring unit, for obtaining file to be scanned;
Recognition unit, for according at least one item in the size of described file and the characteristic of described file, identifies described file, to obtain recognition result; Described recognition result comprises that described file is trusted file, described file is insincere file or described file is unknown file;
Scanning element, for according to described recognition result, carries out virus scan process to described unknown file.
11. devices according to claim 10, is characterized in that, described scanning element, also for
According to described recognition result, process is skipped to described trusted file.
12. devices according to claim 10, is characterized in that, described scanning element, also for
According to described recognition result, alarming processing is carried out to described insincere file.
13. devices according to claim 10, is characterized in that, described file comprises executable file or non-executable file.
14. devices according to the arbitrary claim of claim 10 ~ 13, is characterized in that, described recognition unit, specifically for
Obtain the size of described file;
If the match is successful for the size of described file and the size of apocrypha, obtain the characteristic of the specified portions content of described file, described apocrypha comprises at least one item in trusted file and/or insincere file;
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the characteristic of the full content of described file;
If the match is successful for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, to obtain described file be trusted file or described file is the recognition result of insincere file.
15. devices according to claim 14, is characterized in that, described recognition unit, also for
If it fails to match for the size of described file and the size of apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, obtain the recognition result that described file is unknown file; Or
If it fails to match for the characteristic of the full content of the characteristic of the full content of described file and described apocrypha, obtain the recognition result that described file is unknown file.
16. devices according to claim 14, is characterized in that, described recognition unit, also for
According to the mistake warning information of arbitrary file, using described arbitrary file as described trusted file.
17. devices according to claim 14, is characterized in that, described recognition unit, specifically for
If the match is successful for the size of described file and the size of apocrypha, utilize the first hash algorithm, obtain the characteristic of a beginning M byte of described file, M be more than or equal to 1 integer.
18. devices according to claim 14, is characterized in that, described recognition unit, specifically for
If the match is successful for the characteristic of the characteristic of the specified portions content of described file and the specified portions content of described apocrypha, utilize the second hash algorithm, obtain the characteristic of the full content of described file.
CN201410472180.3A 2014-09-16 2014-09-16 The scan method and device of file Active CN104239795B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410472180.3A CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410472180.3A CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Publications (2)

Publication Number Publication Date
CN104239795A true CN104239795A (en) 2014-12-24
CN104239795B CN104239795B (en) 2017-11-24

Family

ID=52227837

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410472180.3A Active CN104239795B (en) 2014-09-16 2014-09-16 The scan method and device of file

Country Status (1)

Country Link
CN (1) CN104239795B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104680066A (en) * 2015-01-26 2015-06-03 安一恒通(北京)科技有限公司 Method and device used for preventing misjudgment of antivirus software
CN105912946A (en) * 2016-04-05 2016-08-31 上海上讯信息技术股份有限公司 Document detection method and device
CN106708555A (en) * 2016-06-29 2017-05-24 腾讯科技(深圳)有限公司 Method and device for loading plug-ins
CN110688658A (en) * 2019-10-09 2020-01-14 杭州安恒信息技术股份有限公司 Unknown virus infection tracing method, device and system
CN111159710A (en) * 2020-04-07 2020-05-15 四川新网银行股份有限公司 Method for regularly scanning computer virus

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1282283A2 (en) * 2001-07-26 2003-02-05 Networks Associates Technology, Inc. Malware scanning using a network bridge
US20030074573A1 (en) * 2001-10-15 2003-04-17 Hursey Nell John Malware scanning of compressed computer files
CN102457841A (en) * 2010-10-28 2012-05-16 西门子公司 Method and device for detecting virus
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN102789558A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for analyzing program installation and program operation in mobile device
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system
CN102822839A (en) * 2009-12-31 2012-12-12 迈克菲股份有限公司 Malware detection via reputation system
CN103425928A (en) * 2012-05-17 2013-12-04 富泰华工业(深圳)有限公司 Virus killing system and method for electronic device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1282283A2 (en) * 2001-07-26 2003-02-05 Networks Associates Technology, Inc. Malware scanning using a network bridge
US20030074573A1 (en) * 2001-10-15 2003-04-17 Hursey Nell John Malware scanning of compressed computer files
CN102822839A (en) * 2009-12-31 2012-12-12 迈克菲股份有限公司 Malware detection via reputation system
CN102457841A (en) * 2010-10-28 2012-05-16 西门子公司 Method and device for detecting virus
CN102789558A (en) * 2011-05-20 2012-11-21 北京网秦天下科技有限公司 Method and device for analyzing program installation and program operation in mobile device
CN103425928A (en) * 2012-05-17 2013-12-04 富泰华工业(深圳)有限公司 Virus killing system and method for electronic device
CN102768717A (en) * 2012-06-29 2012-11-07 腾讯科技(深圳)有限公司 Malicious file detection method and malicious file detection device
CN102799823A (en) * 2012-07-13 2012-11-28 北京江民新科技术有限公司 Virus detection method and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104680066A (en) * 2015-01-26 2015-06-03 安一恒通(北京)科技有限公司 Method and device used for preventing misjudgment of antivirus software
CN105912946A (en) * 2016-04-05 2016-08-31 上海上讯信息技术股份有限公司 Document detection method and device
CN106708555A (en) * 2016-06-29 2017-05-24 腾讯科技(深圳)有限公司 Method and device for loading plug-ins
CN110688658A (en) * 2019-10-09 2020-01-14 杭州安恒信息技术股份有限公司 Unknown virus infection tracing method, device and system
CN110688658B (en) * 2019-10-09 2021-08-20 杭州安恒信息技术股份有限公司 Unknown virus infection tracing method, device and system
CN111159710A (en) * 2020-04-07 2020-05-15 四川新网银行股份有限公司 Method for regularly scanning computer virus

Also Published As

Publication number Publication date
CN104239795B (en) 2017-11-24

Similar Documents

Publication Publication Date Title
US10140451B2 (en) Detection of malicious scripting language code in a network environment
Bayer et al. Scalable, behavior-based malware clustering.
US20060236397A1 (en) System and method for scanning obfuscated files for pestware
US8584235B2 (en) Fuzzy whitelisting anti-malware systems and methods
US7107617B2 (en) Malware scanning of compressed computer files
CN104217165A (en) Method and device for processing documents
US10339312B2 (en) System and method for detecting malicious compound files
US8336100B1 (en) Systems and methods for using reputation data to detect packed malware
US10013555B2 (en) System and method for detecting harmful files executable on a virtual stack machine based on parameters of the files and the virtual stack machine
WO2013086141A1 (en) Detecting malware using stored patterns
CN104239795A (en) File scanning method and device
US9787699B2 (en) Malware detection
US11080398B2 (en) Identifying signatures for data sets
CN104809391B (en) Buffer overflow attack detection device, method and security protection system
EP3113065A1 (en) System and method of detecting malicious files on mobile devices
CN109145589B (en) Application program acquisition method and device
US11550920B2 (en) Determination apparatus, determination method, and determination program
CN110135154B (en) Injection attack detection system and method for application program
CN108319853B (en) Virus characteristic code processing method and device
CN103679024A (en) Virus processing method and equipment
KR102521677B1 (en) System and method for monitoring phising damage
CN105653953B (en) A kind of checking and killing virus method and device
US12032695B2 (en) Reducing malware signature redundancy
CN104657664A (en) Virus processing method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant