CN110096877A - A kind of document handling method and device - Google Patents
A kind of document handling method and device Download PDFInfo
- Publication number
- CN110096877A CN110096877A CN201910334563.7A CN201910334563A CN110096877A CN 110096877 A CN110096877 A CN 110096877A CN 201910334563 A CN201910334563 A CN 201910334563A CN 110096877 A CN110096877 A CN 110096877A
- Authority
- CN
- China
- Prior art keywords
- file
- content alteration
- node
- content
- feature information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
- G06F16/137—Hash-based
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
- G06F16/162—Delete operations
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Human Computer Interaction (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of document handling method and device, wherein method are as follows: if control node determines the file for having content alteration in file-storage device, lock the file of the content alteration;The control node extracts the file feature information of the file of the content alteration according to the file type of the file of the content alteration;The file feature information, for being matched at least one virus characteristic library in a scan node;The control node determines the first scan node from least one scan node;The file feature information is sent to first scan node by the control node;The control node receives the judgement result that first scan node returns;It is described to determine the result is that being obtained by least one virus characteristic storehouse matching in the file feature information and first scan node;If the judgement result indicates that the file of the content alteration is secure file, the control node releases the locking to the file of the content alteration.
Description
Technical field
The present invention relates to network safety filed more particularly to a kind of document handling methods and device.
Background technique
File-storage device is connected on network, has the device of data storage function, therefore also referred to as " network storage
Device ".File-storage device is usually the high-performance server of exclusive data storage.For example, file-storage device is network
Attached storage (Network Attached Storage, NAS).File-storage device can be used for the common storage of medium-sized and small enterprises
Data bank, so that enterprise customer can quickly be downloaded or upper transmitting file.Therefore file-storage device has larger security risk,
It needs to be scanned the file of storage, dangerous file is isolated or is deleted.
Current method is that antivirus engine is run in file-storage device, to the text stored in file-storage device
Part is scanned.But this method has the disadvantage that: (1) main purpose of file-storage device deployment is data storage, not
File scan, it is therefore desirable to which the computing resource that scanning is uploaded with downloading in control distribution file-storage device can largely occupy number
According to storage, increase added burden.(2) when file-storage device uploading speed increases, the file for needing to scan is also more, from
And the ratio for scanning occupancy file-storage device resource is higher, equally can largely occupy the resource of data storage, reduces data
The performance of storage.(3) when the speed of file-storage device scanning file is less than uploading speed, file-storage device cannot be timely
Dangerous file is scanned, and carries out real-time blocking.
Therefore, in the prior art, data storage resource can largely be occupied by antivirus engine being run in file-storage device, be dropped
The performance of low data storage, and the problem of cannot scanning dangerous file in time and intercepting, is urgently to be resolved.
Summary of the invention
The embodiment of the present application provides a kind of document handling method and device, solves in the prior art, runs and kill on NAS
Malicious engine can largely occupy data storage resource, reduce the performance of data storage, and cannot scan dangerous file in time and intercept
The problem of.
The embodiment of the present application provides a kind of document handling method, comprising: scan node receives the file that control node is sent
Characteristic information;The file feature information is, when the control node determines the file for having content alteration in file-storage device
The characteristic information of extraction;The file of the content alteration is locked by the control node;The scan node is according to the content
The file type of the file of change, the file feature information is corresponding with file type described in the scan node at least
One virus characteristic storehouse matching obtains matching result;The matching result be the file feature information and it is described at least one
In virus characteristic library each virus characteristic library whether the information of successful match;The scan node is determined according to the matching result
The file of the content alteration whether be secure file judgement result;The judgement result is sent to institute by the scan node
State control node;The lock for determining result and determining whether to lift the file to the content alteration for the control node
It is fixed.
In the above method, the file feature information of the file of content alteration has been controlled before the reception of scanned node
Node locking processed, that is, in intercepted state, after scan node has received the file feature information of control node transmission,
By file feature information at least one virus characteristic storehouse matching corresponding with file type in scan node, matching result is obtained,
It is determining with each virus characteristic library whether successful match, then determine whether the file of content alteration is secure file, therefore, if
Determine that result indicates that the file of the content alteration is secure file, then the control node releases the text to the content alteration
The locking of part enables the file of content alteration to be downloaded.Thus will be in the file set of the content alteration in file-storage device
Specific scan node is transferred to determine whether to be installed without scanning file security as the prior art for secure file
It is local in storage equipment, to save the resource of file-storage device.In addition, being arranged scanning function on specific node
Flexible scalable appearance should be carried out to the size of scan task instantly by, which being conducive to, adjusts.
Optionally, it can be performed if the file type of the file of the content alteration is and ELF type, the text can be linked
Part characteristic information includes the fuzzy hash value of the cryptographic Hash of the file of the content alteration and the file of the content alteration, described
Scan node is corresponding with the file type by the file feature information according to the file type of the file of the content alteration
Virus characteristic storehouse matching, comprising: the scan node by the cryptographic Hash of the file of the content alteration and it is described at least one
Hash feature storehouse matching in virus characteristic library, and by the fuzzy hash value of the file of the content alteration and described at least one
Fuzzy Hash feature storehouse matching in a virus characteristic library.
Optionally, if the file type of the file of the content alteration is portable and executable format PE type, institute
State the cryptographic Hash for the file that file feature information includes the content alteration, the fuzzy hash value of the file of the content alteration with
And in the file of the content alteration each section cryptographic Hash and fuzzy hash value, the scan node becomes according to the content
The file type of file more, by file feature information virus characteristic storehouse matching corresponding with the file type, comprising:
The scan node is by the Hash of section each in the file of the cryptographic Hash of the file of the content alteration and the content alteration
Value, with the Hash feature storehouse matching at least one described virus characteristic library;The scan node is by the text of the content alteration
The fuzzy hash value of each section in the file of the fuzzy hash value of part and the content alteration, it is special at least one described virus
Levy the fuzzy Hash feature storehouse matching in library.
Optionally, if the file type of the file of the content alteration is webpage web page type, the file is special
File of the fuzzy hash value and the control node of file of the reference breath including the content alteration to the content alteration
Compressed byte stream, the scan node believe the file characteristic according to the file type of the file of the content alteration
Cease corresponding with file type virus characteristic storehouse matching, comprising: the scan node is by the file of the content alteration
Fuzzy Hash feature storehouse matching in fuzzy hash value, at least one described virus characteristic library;The scan node is according to institute
Byte stream solution after stating the compressing file of content alteration extrudes the file content of the file of the content alteration, and will be in this document
Hold and the risk operations feature storehouse matching at least one described virus characteristic library.
Optionally, the scan node determines whether the file of the content alteration is safe text according to the matching result
The judgement result of part, comprising: each characteristic information is and at least one described virus characteristic library in the file feature information
A virus characteristic library it is corresponding;If the characteristic information successful match in fisrt feature information and the first virus characteristic library, institute
It states scan node and determines the judgement result are as follows: the file of the content alteration is not secure file;The fisrt feature information
For any one of file feature information characteristic information;First virus characteristic library is the fisrt feature information described
Corresponding virus characteristic library at least one virus characteristic library.
The embodiment of the present application provides another document handling method, comprising: if control node determines file-storage device
In have the file of content alteration, then lock the file of the content alteration;The control node is according to the text of the content alteration
The file type of part extracts the file feature information of the file of the content alteration;The file feature information is according to
A string of character informations that the file content of the file of content alteration is determined, for viral at least one in a scan node
Feature database is matched;The control node determines the first scan node from least one scan node;The control node
The file feature information is sent to first scan node;The control node receives first scan node and returns
Judgement result;It is described to determine the result is that by least one virus in the file feature information and first scan node
Feature storehouse matching obtains;If the judgement result indicates that the file of the content alteration is secure file, the control section
Point releases the locking to the file of the content alteration.
Control node determines the file for having content alteration in file-storage device, has just locked the text of the content alteration
Part realizes that real-time blocking according to the file type of the file of the content alteration, extracts the content alteration after locking
File file feature information, and the first scan node is determined from least one scan node, and by the file characteristic
Information is sent to first scan node, by the first scan node to file feature information at least one virus characteristic library
It is matched, then receives first scan node and return to file feature information sentencing at least one virus characteristic storehouse matching
Determine as a result, transferring to the first scan node to handle the task of file scan, to guarantee the storage resource of file-storage device, such as
Fruit determines that result indicates that the file of the content alteration is secure file, then the control node is released to the content alteration
The locking of file enables the file of content alteration to be downloaded.In addition, control node is to determine at least one scan node
One scan node, can expanded sweep node as needed number, so as to realize scanning in time.
Optionally, the control node extracts the content alteration according to the file type of the file of the content alteration
File file feature information, comprising: if the file type of the file of the content alteration is executable and can link ELF class
Type, then the control node extracts the fuzzy Hash of the cryptographic Hash of the file of the content alteration and the file of the content alteration
Value, as the file feature information;Alternatively, if the file type of the file of the content alteration is portable and executable PE
Type, then the control node extract the cryptographic Hash of the file of the content alteration, the content alteration file fuzzy Kazakhstan
The cryptographic Hash and fuzzy hash value of each section, believe as the file characteristic in the file of uncommon value and the content alteration
Breath;Alternatively, the control node extracts institute if the file type of the file of the content alteration is webpage web page type
The fuzzy hash value of the file of content alteration is stated and to the byte stream after the compressing file of the content alteration, as the text
Part characteristic information.
Optionally, the control node determines the first scan node from least one scan node, comprising: the control
Node will load the smallest scan node at least one described scan node, be determined as first scan node.
By the above method, control node will load the smallest scan node at least one described scan node, determine
For the first scan node, at least one scan node load balancing may make.
Optionally, after the control node receives the judgement result that first scan node returns, further includes:
If the judgement result indicates that the file of the content alteration is not secure file, the control node is by the content alteration
File delete.
By the above method, determine that result indicates that the file of the content alteration is not secure file, control node will be interior
The file for holding change is deleted, and eliminates security risk in time, and saved the resource of file-storage device.
Optionally, it after the file feature information is sent to first scan node by the control node, also wraps
Include: if the control node it is default examine the judgement that first scan node returns is not received in duration as a result,
Then the file of the content alteration is deleted.
The embodiment of the present application provides a kind of document handling apparatus, comprising: receiving module is sent for receiving control node
File feature information;The file feature information is that the control node determines there is content alteration in file-storage device
The characteristic information extracted when file;The file of the content alteration is locked by the control node;Processing module, for according to institute
The file type for stating the file of content alteration, the file feature information is corresponding with file type described in the scan node
At least one virus characteristic storehouse matching, obtain matching result;The matching result be the file feature information and it is described extremely
In a few virus characteristic library each virus characteristic library whether the information of successful match;It is determined in described according to the matching result
Hold change file whether be secure file judgement result;And it is saved for the judgement result to be sent to the control
Point;The locking for determining result and determining whether to lift the file to the content alteration for the control node.
Optionally, it can be performed if the file type of the file of the content alteration is and ELF type, the text can be linked
Part characteristic information includes the fuzzy hash value of the cryptographic Hash of the file of the content alteration and the file of the content alteration, described
Processing module is specifically used for: by the Kazakhstan in the cryptographic Hash of the file of the content alteration and at least one described virus characteristic library
Uncommon feature storehouse matching, and will be in the fuzzy hash value of the file of the content alteration and at least one described virus characteristic library
Fuzzy Hash feature storehouse matching.
Optionally, if the file type of the file of the content alteration is portable and executable format PE type, institute
State the cryptographic Hash for the file that file feature information includes the content alteration, the fuzzy hash value of the file of the content alteration with
And in the file of the content alteration each section cryptographic Hash and fuzzy hash value, the processing module is specifically used for: by institute
The cryptographic Hash for stating each section in the cryptographic Hash of the file of content alteration and the file of the content alteration, with it is described at least one
Hash feature storehouse matching in virus characteristic library;By the fuzzy hash value of the file of the content alteration and the content alteration
Fuzzy Hash feature storehouse matching in the fuzzy hash value of each section in file, at least one described virus characteristic library.
Optionally, if the file type of the file of the content alteration is webpage web page type, the file is special
File of the fuzzy hash value and the control node of file of the reference breath including the content alteration to the content alteration
Compressed byte stream, the processing module, is specifically used for: and described by the fuzzy hash value of the file of the content alteration
Fuzzy Hash feature storehouse matching at least one virus characteristic library;According to the byte stream after the compressing file of the content alteration
Solution extrudes the file content of the file of the content alteration, and will be in this document content and at least one described virus characteristic library
Risk operations feature storehouse matching.
Optionally, in the file feature information each characteristic information with one at least one described virus characteristic library
A virus characteristic library is corresponding;The processing module, if the feature being also used in fisrt feature information and the first virus characteristic library is believed
Cease successful match, it is determined that the judgement result are as follows: the file of the content alteration is not secure file;The fisrt feature letter
Breath is any one of file feature information characteristic information;First virus characteristic library is the fisrt feature information in institute
State corresponding virus characteristic library at least one virus characteristic library.
The embodiment of the present application provides another document handling apparatus, comprising: determining module is used for if it is determined that file stores
There is the file of content alteration in equipment, then locks the file of the content alteration;Module is obtained, for according to the content alteration
File file type, extract the file feature information of the file of the content alteration;According to the file feature information
A string of character informations that the file content of the file of the content alteration is determined are used for and at least one in a scan node
Virus characteristic library is matched;The determining module is also used to determine the first scan node from least one scan node;Hair
Module is sent, for the file feature information to be sent to first scan node;Receiving module, for receiving described first
The judgement result that scan node returns;It is described to determine the result is that by the file feature information and first scan node
What at least one virus characteristic storehouse matching obtained;Processing module, if indicating the text of the content alteration for the judgement result
Part is secure file, then releases the locking to the file of the content alteration.
Optionally, the acquisition module, is specifically used for: if the file type of the file of the content alteration be it is executable with
ELF type can be linked, then extracts the fuzzy Hash of the cryptographic Hash of the file of the content alteration and the file of the content alteration
Value, as the file feature information;Alternatively, if the file type of the file of the content alteration is portable and executable PE
Type then extracts the cryptographic Hash of the file of the content alteration, the fuzzy hash value of the file of the content alteration and described
The cryptographic Hash and fuzzy hash value of each section in the file of content alteration, as the file feature information;Alternatively, if described
The file type of the file of content alteration is webpage web page type, then extracts the fuzzy Hash of the file of the content alteration
Value and to the byte stream after the compressing file of the content alteration, as the file feature information.
Optionally, the determining module, is specifically used for: the smallest scanning section will be loaded at least one described scan node
Point is determined as first scan node.
Optionally, the processing module, if being also used to the judgement result indicates that the file of the content alteration is not peace
Whole file then deletes the file of the content alteration.
Optionally, the processing module, if being also used to not receive first scan node in default examine in duration
The judgement returned is as a result, then delete the file of the content alteration.
Detailed description of the invention
Fig. 1 is the corresponding architecture diagram of document handling method a kind of in the embodiment of the present application;
Fig. 2 is a kind of step flow chart of document handling method in the embodiment of the present application;
Fig. 3 is a kind of structural schematic diagram of file scanning device in the embodiment of the present application;
Fig. 4 is the structural schematic diagram of another file scanning device in the embodiment of the present application.
Specific embodiment
In order to better understand the above technical scheme, below in conjunction with Figure of description and specific embodiment to above-mentioned
Technical solution is described in detail, it should be understood that the specific features in the embodiment of the present application and embodiment are to the application skill
The detailed description of art scheme, rather than the restriction to technical scheme, in the absence of conflict, the embodiment of the present application
And the technical characteristic in embodiment can be combined with each other.
It is to be widely used in the common storage data bank of medium-sized and small enterprises that current file, which stores equipment, for enterprise customer's energy
It is quickly downloaded or upper transmitting file.File-storage device is connected on network, has the device of data storage function, because
This is also referred to as " network memory ".File-storage device is usually the high-performance server of exclusive data storage.For example, literary
It is network attached storage (Network Attached Storage, NAS) that part, which stores equipment,.It is public due to file-storage device
Property, each enterprise customer, which has permission, to upload or is downloaded from file-storage device, therefore file-storage device has great risk to connect
Receive dangerous file, it is therefore desirable to be scanned to the file of storage, dangerous file is isolated or is deleted in time.
It in the prior art, is that antivirus engine is run in file-storage device to the method that the file of storage is scanned.
Since the main purpose of file-storage device deployment is data storage, not file scan, the method for the prior art have brighter
Aobvious disadvantage, the method for the prior art need to control the computing resource that scanning is uploaded with downloading in distribution file-storage device, meeting
It is a large amount of to occupy data storage, increase added burden.In addition, when file-storage device uploading speed increases, the text that needs to scan
Part is also more, so that the ratio for scanning occupancy file-storage device resource is higher, equally can largely occupy data storage
Resource reduces the performance of data storage.Furthermore when the speed of file-storage device scanning file is less than uploading speed, file
Storage equipment cannot scan dangerous file in time, and carry out real-time blocking.
For this purpose, as shown in Figure 1, the embodiment of the present application provides a kind of document handling method corresponding architecture diagram, to solve to exist
Antivirus engine is run in file-storage device can largely occupy data storage resource, reduce the performance of data storage, and cannot and
When the problem of scanning dangerous file and intercepting.
Client computer: for one group of host for belonging to the same mechanism, can into file-storage device upper transmitting file, or from text
File is downloaded in part storage equipment.Number of clients for providing in Fig. 1, can only be disposed according to mechanism specific requirements.Separately
Outside, the connection relationship of client computer and file-storage device is also not necessarily limited to the example in Fig. 1, can also by router, interchanger,
The intermediate equipments such as server are indirectly connected with file-storage device.
File-storage device: file-storage device is the equipment for storing the organization data file, it may include Duo Zhongcun
Memory device: such as disk array, driver, tape drive or moveable storage medium.For example, file-storage device
For NAS.
A scan control service is increased in the embodiment of the present application, i.e., one for managing the soft of file scan task
Part.Scan control service possesses the power of the document control in file-storage device, and to the control of scan node.It needs to illustrate
, scan control service can both be deployed in file-storage device, can also individually dispose on one device.Fig. 1 institute
In the example shown, scan control service arrangement is in control node, furthermore it is also possible to extend the number of control node.
Control node: control node is the computer equipment of an operation scan control service.Control node controls text
The operating right of part can lock the file of content alteration in the file of file-storage device inspection to content alteration,
Enterprise customer is not allowed to operate by application layer software to file read-write etc..The file of content alteration mentioned here may include
The file that newly-increased file or content are modified.Control node is used to extract the file feature information of the file of content alteration, and
Scan node is sent by file feature information afterwards, by scan node according to file feature information, determines whether this document is peace
Whole file.When scan node returns to the scanning result of file, control node deletes the file for carrying out content alteration, releases and lock
Determine or continue to keep the operation such as locking, to complete the control to file.It can be seen that control node can effectively promote control
Efficiency realizes the real-time blocking to dangerous file.
Scan node: for being scanned to the file of content alteration, i.e. the file of judgement content alteration is scan node
No is secure file.Specific method is that the file feature information for sending control node and at least one virus preloaded are special
Storehouse matching is levied, if energy successful match, it is determined that the file of content alteration is dangerous file, otherwise, it determines the file of content alteration
For secure file.
It should be noted that scan node is extremely in the framework of document handling method application provided by the embodiments of the present application
One few, how much the file that particular number can scan as needed is adjusted flexibly, and is not limited to the quantity of the scan node in Fig. 1.
It can be seen that the scan node of framework supports distributed extension in Fig. 1, it can be by increasing scan node quantity, to promote scanning
The quantity of file.
Below with reference to Fig. 2, the function of the framework and various pieces is discussed in detail.
As shown in Fig. 2, for a kind of step flow chart of document handling method in the embodiment of the present application.
Step 201~step 204 and step 209 are the step of control node executes, and step 205~step 208 is to sweep
Retouch the step of node executes.
Step 201: the file of locked content change.
Step 202: extracting the file feature information of the file of content alteration.
Step 203: the first scan node is determined from least one scan node.
Step 204: file feature information is sent to the first scan node.
Step 205: receiving the file feature information that control node is sent.
Step 206: by least one virus characteristic storehouse matching in file feature information and scan node.
Step 207: determining the judgement result of the file of content alteration.
Step 208: will determine that result is sent to control node.
Step 209: determining whether to lift the locking to the file of content alteration.
In step 201, a kind of optional embodiment of the file of locked content change is as follows:
Control node obtains the file handle of the file of content alteration first.File handle is be used to open file unique
Basis of characterization.During file input/output, if to read data from a file, application program first has to call behaviour
Make system function and transmit filename, and selects a path to this document to open file.The serial number that the function is fetched, i.e.,
It is file handle.A block number evidence is read from file, application program needs to call file function reading, and file handle is existed
Address and the byte number to be copied in memory send operating system to.After completion task, then by calling system function come
Close this document.After controlling file acquisition to the file handle of the file of content alteration, file lock is added to file handle.
After performing step 201, the application program of application layer just cannot be to the content alteration in file-storage device
File carries out any operation, and only control node can open the file of content alteration, i.e. progress step 202.
In step 202, control node is the text according to the file type of the file of content alteration to the file of content alteration
Part characteristic information extracts.File feature information is one and carries out at least one virus characteristic library in a scan node
Matched information.
Specifically, it is understood that there may be following three kinds of situations will be described respectively below.
The first situation, if the file type of the file of content alteration is that can be performed and can link (Executable and
Linkable Format, ELF) type, then control node extracts the cryptographic Hash of the file of content alteration and the file of content alteration
Fuzzy hash value, as file feature information.
It should be noted that the cryptographic Hash of the file of content alteration is the text according to content alteration in the embodiment of the present application
The value that the file content of part is exported according to hash algorithm.Hash (Hash) algorithm is a kind of Input transformation Cheng Gu random length
The output of measured length.The fuzzy hash value of the file of content alteration is the file content according to the file of content alteration according to fuzzy
The value of hash algorithm output.Fuzzy hash algorithm is also known as the fragment hash algorithm (context based on content segmentation
triggered piecewise hashing,CTPH).The principle of fuzzy Hash is to use a weak Hash calculation file part
Content carries out fragment to file under given conditions, then takes these to every calculating cryptographic Hash of file using one strong Hash
A part of value simultaneously connects, and a fuzzy Hash result is constituted together with fragmented condition.Use a string-similarity
Comparison algorithm judge two fuzzy hash values similarity how many, to judge the similarity degree of two files.
Second case, if the file type of the file of content alteration is portable and executable (Portable Ex-
Ecutable, PE) type, then control node extract the cryptographic Hash of file of content alteration, content alteration file fuzzy Kazakhstan
The cryptographic Hash and fuzzy hash value of each section in the file of uncommon value and content alteration, as file feature information.
It should be noted that PE type file is the file under Microsoft's Window operating system (Microsoft Windows)
Type is divided into section one by one.If the file of content alteration is PE file, the cryptographic Hash of the file of content alteration is basis
What entire file content was obtained according to hash algorithm, the fuzzy hash value of the file of content alteration be according to entire file content by
It is obtained according to fuzzy hash algorithm;And the cryptographic Hash of each section is the file content according to the section in the file of content alteration
It is obtained according to hash algorithm, the fuzzy hash value of the section is obtained according to the fuzzy hash algorithm of the section.
The third situation, if the file type of the file of content alteration is webpage (web page) type, control node
Extract content alteration file fuzzy hash value and to the byte stream after the compressing file of content alteration, as file characteristic
Information.It should be noted that the file of type of webpage is the program file for realizing webpage function, will form after compression by multiple words
Save the byte stream of composition.
The optional embodiment only with the citing of above-mentioned three kinds of file types, is not limited to above-mentioned three kinds of file types.
In step 203, a kind of optional embodiment is at least one scanning that control node will be connect with control node
The smallest scan node is loaded in node, the first scan node as characteristic information to be transmitted a document.
In above-mentioned steps, for example, if there is tri- scan nodes of A, B, C, wherein A has 10 file characteristics to be matched
Information, B and C have 9 file feature informations to be matched, and one will be selected to save from B and C as the first scanning at random at this time
Point.
In step 204, the file feature information of the file of content alteration is sent to the smallest scan node of load, thus
So that each scan node load balancing.In this step, it should be noted that file feature information is not after generating one
With regard to sending one to scan node, but multiple file feature informations are packaged into one according to preset document format conversion rule
A scan task packet;In addition, at least also containing the corresponding file type of every file feature information in scan task packet.Citing comes
It says, after control node is extracted 1000 file feature informations, is packaged into scan task packet and retransmits to scan node, thus one
Secondary property transmits a plurality of file feature information, improves efficiency of transmission.
After step 204, the judgement result of the file for the content alteration that control node can wait always scan node to return.
Therefore, a kind of optional embodiment is, if control node does not receive the return of the first scan node in default examine in duration
Judgement as a result, then the file of content alteration is deleted, to prevent because of the abnormal caused danger of file feature information matching
File is failed to report.It is default to examine duration the timing since at the time of the file of content alteration is locked.
The default mechanism for examining duration is with the citing of following two situation:
The first situation, in step 201 to the locking duration of the file of content alteration be it is fixed have limit, internal
The locking timing of file for holding change starts, time duration be equal to it is default when examining duration, if control node does not receive the yet
The judgement that one scan node returns is as a result, then directly delete the file of content alteration.For example, to the file of content alteration
Locking duration be 5 seconds, preset examine when it is 4.5 seconds a length of, if not receiving the judgement knot of the file of content alteration at the 4.5th second
The file of content alteration is just deleted, to prevent the file of content alteration is last at the 5th second to be downloaded, causes security risk by fruit.
Second situation is by predetermined period into line-locked to the locking duration of the file of content alteration in step 201,
If not receiving the scanning result of the file of content alteration in predetermined period, the file of the file of content alteration is extracted again
Characteristic information is sent to scan node, and enters next predetermined period, the judgement result of the file until receiving content alteration
Or the file of content alteration is deleted after the scanning for the file in continuous N number of predetermined period not receiving content alteration;N is positive whole
Number.For example, predetermined period is 6 seconds, N 3, and control node does not receive scan node return in preceding 2 predetermined periods
Judgement as a result, then enter the 3rd predetermined period.If control node can receive scan node return in the 3rd predetermined period
Judgement as a result, then further according to determine result determine whether delete content alteration file;Otherwise directly by the text of content alteration
Part is deleted.
In step 205, scan node first receives scan task packet, according to preset file format transformation rule, incites somebody to action
Scan task Packet analyzing is file feature information one by one, is stored in buffer area.Then scan node is read from buffer area again
Each file feature information, and step 206~step 208 is executed to each file feature information.
In step 206, according to file type, selects the virus characteristic library of the file of content alteration to be matched, specifically have
Three kinds of situations below:
The first situation, if the file of content alteration is ELF type file, according to step 202, file feature information
The fuzzy hash value of the file of the cryptographic Hash and content alteration of file including content alteration.Scan node is by the text of content alteration
The cryptographic Hash of part and the Hash feature storehouse matching of preloading, and by the fuzzy hash value of the file of content alteration and preload
Fuzzy Hash feature storehouse matching.It should be noted that Hash feature database and fuzzy Hash feature database both can be historical collection
Feature is also possible to the feature database having disclosed at present, the feature database that the combination or other modes for being also possible to the two are established.
Second case, if the file of content alteration is PE type file, according to step 202, file feature information packet
Include each area in the file of the cryptographic Hash of the file of content alteration, the fuzzy hash value of the file of content alteration and content alteration
The cryptographic Hash and fuzzy hash value of section.Scan node will be each in the file of the cryptographic Hash of the file of content alteration and content alteration
The cryptographic Hash of section, the Hash feature storehouse matching with preloading;Scan node by the fuzzy hash value of the file of content alteration and
The fuzzy hash value of each section in the file of content alteration, the fuzzy Hash feature storehouse matching with preloading.
The third situation, if the file type of the file of content alteration is webpage web page type, file characteristic letter
The fuzzy hash value and control node that breath includes the file of content alteration are to the byte stream after the compressing file of content alteration.It sweeps
Retouch fuzzy Hash feature storehouse matching of the node by the fuzzy hash value of the file of content alteration, with preloading;Scan node according to
Byte stream solution after the compressing file of content alteration extrudes the file content of the file of content alteration, and by this document content and in advance
The risk operations feature storehouse matching of load.For example, file content is at least one event action, by this at least one event
The risk operations feature storehouse matching of each event action and preloading in operation.
In step 207, determine that judging result, a kind of optional embodiment are specific according to the matching result in step 206
It is as follows:
Each characteristic information is corresponding with a virus characteristic library in each file feature information, as fuzzy hash value with
Fuzzy Hash feature database is corresponding.
If in any one of file feature information of file of content alteration characteristic information and the first virus characteristic library
Characteristic information successful match, then scan node determines that the file of content alteration is not secure file, otherwise, it determines content alteration
File be secure file.
In step 208, the judgement result optional embodiment of the file of scan node returned content change is as follows:
A kind of optional embodiment is that scan node, which needs matched file feature information incessantly, the text of content alteration
Part, it is also possible to which the file feature information that has been extracted is waiting to be matched before having, that is, may export in one section of duration
Multiple judgement results.Based on this, scan node is not just to return immediately after the judgement result for getting the file of content alteration
To control node, scan node according to it is default return judging result period, by it is each it is default return judging result period in,
The judgement result for the All Files characteristic information that scan node is completed is encapsulated as a group information, then this group information is sent to control
Node.Under the embodiment, after scan node collects the file feature information of a group of file, it is uniformly sent to control section
Point, so that improving scan node returns to the efficiency for determining result.
Another optional embodiment is that scan node is just vertical after the judgement result for the file for getting content alteration
The judgement result of the file of content alteration is returned into control node, to guarantee that control node obtains in shortest duration
To the judging result of the file of content alteration.
In step 209, if it is decided that result indicates that the file of content alteration is secure file, then control node releases internal
Hold the locking of the file of change.If it is determined that result indicates that the file of content alteration is not secure file, then control node will be interior
The file for holding change is deleted.
It illustrates below by application scenarios of NAS, illustrates the advantages of this method:
Certain company uses shared data server of the NAS file system as company, all employees of company all have permission into
Row uploads and downloading, and there are huge security risks.The said firm requires to carry out the scanning of file actual time safety, peak value to NAS system
5000 files of scanning per minute can be reached, and cannot be locked after the completion of file upload more than 5 seconds.Use the scanning of the application
Method deploys control node, and deploys 2 scan nodes, has reached expected performance requirement, and can real-time blocking live
Virus document uploads in NAS file system.Disk size is expanded for later NAS file system, needs to improve scan performance,
Also dynamic capacity-expanding can be carried out by increasing scan node using the invention, greatly reduce maintenance cost.
Control node determines the file for having content alteration in file-storage device, has just locked the text of the content alteration
Part realizes that real-time blocking according to the file type of the file of the content alteration, extracts the content alteration after locking
File file feature information, and the first scan node is determined from least one scan node, and by the file characteristic
Information is sent to first scan node, by the first scan node to file feature information at least one virus characteristic library
It is matched, then receives first scan node and return to file feature information sentencing at least one virus characteristic storehouse matching
Determine as a result, transferring to the first scan node to handle the task of file scan, to guarantee the storage resource of file-storage device, such as
Fruit determines that result indicates that the file of the content alteration is secure file, then the control node is released to the content alteration
The locking of file enables the file of content alteration to be downloaded.In addition, control node is to determine at least one scan node
One scan node, can expanded sweep node as needed number, so as to realize scanning in time.
As shown in figure 3, for a kind of structural schematic diagram of file scanning device in the embodiment of the present application.
The embodiment of the present application provides a kind of document handling apparatus, comprising: receiving module 301, for receiving control node
The file feature information of transmission;The file feature information is that the control node, which determines in file-storage device, content change
The characteristic information extracted when file more;The file of the content alteration is locked by the control node;Processing module 302 is used
In the file type according to the file of the content alteration, by file described in the file feature information and the scan node
At least one corresponding virus characteristic storehouse matching of type obtains matching result;The matching result is the file feature information
With each virus characteristic library at least one described virus characteristic library whether the information of successful match;It is true according to the matching result
The file of the fixed content alteration whether be secure file judgement result;And it is described for the judgement result to be sent to
Control node;The locking for determining result and determining whether to lift the file to the content alteration for the control node.
Optionally, it can be performed if the file type of the file of the content alteration is and ELF type, the text can be linked
Part characteristic information includes the fuzzy hash value of the cryptographic Hash of the file of the content alteration and the file of the content alteration, described
Processing module 302, is specifically used for: will be in the cryptographic Hash of the file of the content alteration and at least one described virus characteristic library
Hash feature storehouse matching, and will be in the fuzzy hash value of the file of the content alteration and at least one described virus characteristic library
Fuzzy Hash feature storehouse matching.
Optionally, if the file type of the file of the content alteration is portable and executable format PE type, institute
State the cryptographic Hash for the file that file feature information includes the content alteration, the fuzzy hash value of the file of the content alteration with
And in the file of the content alteration each section cryptographic Hash and fuzzy hash value, the processing module 302 is specifically used for:
By the cryptographic Hash of section each in the file of the cryptographic Hash of the file of the content alteration and the content alteration, with it is described at least
Hash feature storehouse matching in one virus characteristic library;The fuzzy hash value of the file of the content alteration and the content are become
Fuzzy Hash feature database in the fuzzy hash value of each section in file more, at least one described virus characteristic library
Match.
Optionally, if the file type of the file of the content alteration is webpage web page type, the file is special
File of the fuzzy hash value and the control node of file of the reference breath including the content alteration to the content alteration
Compressed byte stream, the processing module 302, is specifically used for: by the fuzzy hash value of the file of the content alteration, with institute
State the fuzzy Hash feature storehouse matching at least one virus characteristic library;According to the byte after the compressing file of the content alteration
Stream solution extrudes the file content of the file of the content alteration, and will be in this document content and at least one described virus characteristic library
Risk operations feature storehouse matching.
Optionally, in the file feature information each characteristic information with one at least one described virus characteristic library
A virus characteristic library is corresponding;The processing module 302, if being also used to the feature in fisrt feature information and the first virus characteristic library
Information matches success, it is determined that the judgement result are as follows: the file of the content alteration is not secure file;The fisrt feature
Information is any one of file feature information characteristic information;First virus characteristic library is that the fisrt feature information exists
Corresponding virus characteristic library at least one described virus characteristic library.
As shown in figure 4, for the structural schematic diagram of file scanning device another in the embodiment of the present application.
The embodiment of the present application provides another document handling apparatus, comprising: determining module 401, for if it is determined that file
There is the file of content alteration in storage equipment, then locks the file of the content alteration;Module 402 is obtained, for according to
The file type of the file of content alteration extracts the file feature information of the file of the content alteration;The file characteristic letter
A string of character informations that breath is determined for the file content according to the file of the content alteration, for in a scan node
At least one virus characteristic library is matched;The determining module 401 is also used to determine first from least one scan node
Scan node;Sending module 403, for the file feature information to be sent to first scan node;Receiving module
404, the judgement result returned for receiving first scan node;The judgement is the result is that pass through the file feature information
It is obtained at least one virus characteristic storehouse matching in first scan node;Processing module 405, if being tied for the judgement
Fruit indicates that the file of the content alteration is secure file, then releases the locking to the file of the content alteration.
Optionally, the acquisition module 402, is specifically used for: if the file type of the file of the content alteration is that can hold
Row with can link ELF type, then extract obscuring for the cryptographic Hash of the file of the content alteration and the file of the content alteration
Cryptographic Hash, as the file feature information;Alternatively, if the file type of the file of the content alteration be portable with can hold
Row PE type, then extract the cryptographic Hash of the file of the content alteration, the fuzzy hash value of the file of the content alteration and
The cryptographic Hash and fuzzy hash value of each section in the file of the content alteration, as the file feature information;Alternatively, if
The file type of the file of the content alteration is webpage web page type, then extracts the fuzzy of the file of the content alteration
Cryptographic Hash and to the byte stream after the compressing file of the content alteration, as the file feature information.
Optionally, the determining module 401, is specifically used for: will load the smallest sweep at least one described scan node
Node is retouched, first scan node is determined as.
Optionally, the processing module 405, if being also used to the judgement result indicates that the file of the content alteration is not
Secure file then deletes the file of the content alteration.
Optionally, the processing module 405, if being also used to not receive the first scanning section in duration in default examine
The judgement that point returns is as a result, then delete the file of the content alteration.
Finally, it should be noted that it should be understood by those skilled in the art that, embodiments herein can provide as method, be
System or computer program product.Therefore, the application can be used complete hardware embodiment, complete software embodiment or combine software
With the form of the embodiment of hardware aspect.Moreover, it wherein includes that computer can use journey that the application, which can be used in one or more,
The computer implemented in the computer-usable storage medium (including but not limited to magnetic disk storage, optical memory etc.) of sequence code
The form of program product.
The application be referring to according to the present processes, equipment (system) and computer program product flow chart and/or
Block diagram describes.It should be understood that each process that can be realized by computer program instructions in flowchart and/or the block diagram and/or
The combination of process and/or box in box and flowchart and/or the block diagram.It can provide these computer program instructions to arrive
General purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor to generate one
Machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realizing flowing
The device for the function of being specified in journey figure one process or multiple processes and/or block diagrams one box or multiple boxes.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
Obviously, those skilled in the art can carry out various modification and variations without departing from the model of the application to the application
It encloses.In this way, if these modifications and variations of the application belong within the scope of the claim of this application and its equivalent technologies, then
The application is also intended to include these modifications and variations.
Claims (20)
1. a kind of document handling method characterized by comprising
Scan node receives the file feature information that control node is sent;The file feature information is that the control node is true
Determine the characteristic information extracted when having the file of content alteration in file-storage device;The file of the content alteration is by the control
Node locking;
The scan node is according to the file type of the file of the content alteration, by the file feature information and the scanning
At least one corresponding virus characteristic storehouse matching of file type described in node obtains matching result;The matching result is institute
State in file feature information and at least one described virus characteristic library each virus characteristic library whether the information of successful match;
The scan node according to the matching result determine the content alteration file whether be secure file judgement knot
Fruit;
The judgement result is sent to the control node by the scan node;The judgement result is used for the control node
Determine whether to lift the locking of the file to the content alteration.
2. the method as described in claim 1, which is characterized in that if the file type of the file of the content alteration is executable
With can link ELF type, then the file feature information include the file of the content alteration cryptographic Hash and the content become
The fuzzy hash value of file more, the scan node is according to the file type of the file of the content alteration, by the file
Characteristic information virus characteristic storehouse matching corresponding with the file type, comprising:
The scan node is by the Hash in the cryptographic Hash of the file of the content alteration and at least one described virus characteristic library
Feature storehouse matching, and by the mould in the fuzzy hash value of the file of the content alteration and at least one described virus characteristic library
Paste Hash feature storehouse matching.
3. the method as described in claim 1, which is characterized in that if the file type of the file of the content alteration is portable
With executable format PE type, then the file feature information includes the cryptographic Hash of the file of the content alteration, the content
The cryptographic Hash and fuzzy hash value of each section, institute in the file of the fuzzy hash value of the file of change and the content alteration
Scan node is stated according to the file type of the file of the content alteration, by the file feature information and the file type pair
The virus characteristic storehouse matching answered, comprising:
The scan node is by section each in the file of the cryptographic Hash of the file of the content alteration and the content alteration
Hash feature storehouse matching in cryptographic Hash, at least one described virus characteristic library;The scan node is by the content alteration
The fuzzy hash value of file and the file of the content alteration in each section fuzzy hash value, with it is described at least one disease
Fuzzy Hash feature storehouse matching in malicious feature database.
4. the method as described in claim 1, which is characterized in that if the file type of the file of the content alteration is webpage
Web page type, then the file feature information includes the fuzzy hash value and the control of the file of the content alteration
Node is to the byte stream after the compressing file of the content alteration, and the scan node is according to the text of the file of the content alteration
Part type, by file feature information virus characteristic storehouse matching corresponding with the file type, comprising:
The scan node will be in the fuzzy hash value of the file of the content alteration, at least one described virus characteristic library
Fuzzy Hash feature storehouse matching;The scan node is according to the byte stream solution extrusion after the compressing file of the content alteration
The file content of the file of content alteration, and the risk operations in this document content and at least one described virus characteristic library are special
Levy storehouse matching.
5. the method as described in claim 1-4 is any, which is characterized in that the scan node is determined according to the matching result
The file of the content alteration whether be secure file judgement result, comprising:
In the file feature information each characteristic information with a virus characteristic at least one described virus characteristic library
Library is corresponding;
If the characteristic information successful match in fisrt feature information and the first virus characteristic library, described in the scan node determination
Determine result are as follows: the file of the content alteration is not secure file;The fisrt feature information is the file feature information
Any one of characteristic information;First virus characteristic library is the fisrt feature information at least one described virus characteristic library
In corresponding virus characteristic library.
6. a kind of document handling method characterized by comprising
If control node determines the file for having content alteration in file-storage device, the file of the content alteration is locked;
The control node extracts the file of the file of the content alteration according to the file type of the file of the content alteration
Characteristic information;The file feature information is to be believed according to the character string that the file content of the file of the content alteration is determined
Breath, for being matched at least one virus characteristic library in a scan node;
The control node determines the first scan node from least one scan node;
The file feature information is sent to first scan node by the control node;
The control node receives the judgement result that first scan node returns;It is described to determine the result is that passing through the file
At least one virus characteristic storehouse matching obtains in characteristic information and first scan node;
If the judgement result indicates that the file of the content alteration is secure file, the control node is released to described interior
Hold the locking of the file of change.
7. method as claimed in claim 6, which is characterized in that the control node is according to the text of the file of the content alteration
Part type extracts the file feature information of the file of the content alteration, comprising:
If the file type of the file of the content alteration is that can be performed and can link ELF type, the control node is extracted
The fuzzy hash value of the file of the cryptographic Hash of the file of the content alteration and the content alteration is believed as the file characteristic
Breath;
Alternatively, if the file type of the file of the content alteration is portable and executable PE type, the control node
Extract the cryptographic Hash of the file of the content alteration, the fuzzy hash value of the file of the content alteration and the content alteration
File in each section cryptographic Hash and fuzzy hash value, as the file feature information;
Alternatively, the control node is extracted if the file type of the file of the content alteration is webpage web page type
The fuzzy hash value of the file of the content alteration and to the byte stream after the compressing file of the content alteration, as described
File feature information.
8. method according to claim 6 or 7, which is characterized in that the control node is true from least one scan node
Fixed first scan node, comprising:
The control node will load the smallest scan node at least one described scan node, be determined as first scanning
Node.
9. method according to claim 6 or 7, which is characterized in that the control node receives first scan node and returns
After the judgement result returned, further includes:
If the judgement result indicates that the file of the content alteration is not secure file, the control node is by the content
The file of change is deleted.
10. method according to claim 6 or 7, which is characterized in that the control node sends the file feature information
After to first scan node, further includes:
If the control node it is default examine the judgement that first scan node returns is not received in duration as a result,
Then the file of the content alteration is deleted.
11. a kind of document handling apparatus characterized by comprising
Receiving module, for receiving the file feature information of control node transmission;The file feature information is the control section
Point determines the characteristic information extracted when having the file of content alteration in file-storage device;The file of the content alteration is described
Control node locking;
Processing module sweeps the file feature information with described for the file type according to the file of the content alteration
At least one corresponding virus characteristic storehouse matching of file type described in node is retouched, matching result is obtained;The matching result is
In the file feature information and at least one described virus characteristic library each virus characteristic library whether the information of successful match;Root
According to the matching result determine the content alteration file whether be secure file judgement result;And for sentencing described
Determine result and is sent to the control node;The judgement result is determined whether to lift for the control node becomes the content
The locking of file more.
12. device as claimed in claim 11, which is characterized in that if the file type of the file of the content alteration is that can hold
It goes and ELF type can be linked, then the file feature information includes the cryptographic Hash and the content of the file of the content alteration
The fuzzy hash value of the file of change, the processing module, is specifically used for:
By the Hash feature storehouse matching in the cryptographic Hash of the file of the content alteration and at least one described virus characteristic library, with
And by the fuzzy Hash feature database in the fuzzy hash value of the file of the content alteration and at least one described virus characteristic library
Matching.
13. device as claimed in claim 11, which is characterized in that if the file type of the file of the content alteration is removable
Plant with executable format PE type, then the file feature information include the file of the content alteration cryptographic Hash, it is described in
Hold the cryptographic Hash and fuzzy hash value of each section in the fuzzy hash value of file and the file of the content alteration of change,
The processing module, is specifically used for:
It is and described by the cryptographic Hash of section each in the file of the cryptographic Hash of the file of the content alteration and the content alteration
Hash feature storehouse matching at least one virus characteristic library;By the fuzzy hash value of the file of the content alteration and described interior
The fuzzy hash value for holding each section in the file of change, with the fuzzy Hash feature database at least one described virus characteristic library
Matching.
14. device as claimed in claim 11, which is characterized in that if the file type of the file of the content alteration is webpage
Web page type, then the file feature information includes the fuzzy hash value and the control of the file of the content alteration
Node is specifically used for the byte stream after the compressing file of the content alteration, the processing module:
By the fuzzy Hash feature in the fuzzy hash value of the file of the content alteration, at least one described virus characteristic library
Storehouse matching;In the file for the file that the content alteration is extruded according to the byte stream solution after the compressing file of the content alteration
Hold, and by the risk operations feature storehouse matching in this document content and at least one described virus characteristic library.
15. the device as described in claim 11-14 is any, which is characterized in that each feature is believed in the file feature information
It ceases corresponding with a virus characteristic library at least one described virus characteristic library;
The processing module, if being also used to the characteristic information successful match in fisrt feature information and the first virus characteristic library,
Determine the judgement result are as follows: the file of the content alteration is not secure file;The fisrt feature information is the file
Any one of characteristic information characteristic information;First virus characteristic library is the fisrt feature information at least one described disease
Corresponding virus characteristic library in malicious feature database.
16. a kind of document handling apparatus characterized by comprising
Determining module, for if it is determined that there is the file of content alteration in file-storage device, then locking the text of the content alteration
Part;
Module is obtained, for the file type according to the file of the content alteration, extracts the text of the file of the content alteration
Part characteristic information;The file feature information is a string of the characters determined according to the file content of the file of the content alteration
Information, for being matched at least one virus characteristic library in a scan node;
The determining module is also used to determine the first scan node from least one scan node;
Sending module, for the file feature information to be sent to first scan node;
Receiving module, the judgement result returned for receiving first scan node;It is described to determine the result is that passing through the text
At least one virus characteristic storehouse matching obtains in part characteristic information and first scan node;
Processing module releases if indicating that the file of the content alteration is secure file for the judgement result to described
The locking of the file of content alteration.
17. device as claimed in claim 16, which is characterized in that the acquisition module is specifically used for:
If the file type of the file of the content alteration is that can be performed and can link ELF type, the content alteration is extracted
File cryptographic Hash and the content alteration file fuzzy hash value, as the file feature information;
Alternatively, extracting the content if the file type of the file of the content alteration is portable and executable PE type
It is each in the cryptographic Hash of the file of change, the fuzzy hash value of file of the content alteration and the file of the content alteration
The cryptographic Hash and fuzzy hash value of section, as the file feature information;
Alternatively, extracting the content alteration if the file type of the file of the content alteration is webpage web page type
File fuzzy hash value and to the byte stream after the compressing file of the content alteration, believe as the file characteristic
Breath.
18. the device as described in claim 16 or 17, which is characterized in that the determining module is specifically used for:
The smallest scan node will be loaded at least one described scan node, is determined as first scan node.
19. the device as described in claim 16 or 17, which is characterized in that the processing module, if being also used to the judgement knot
Fruit indicates that the file of the content alteration is not secure file, then deletes the file of the content alteration.
20. the device as described in claim 16 or 17, which is characterized in that the processing module, if being also used to examine default
The judgement that first scan node returns is not received in duration as a result, then deleting the file of the content alteration.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910334563.7A CN110096877B (en) | 2019-04-24 | 2019-04-24 | File processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910334563.7A CN110096877B (en) | 2019-04-24 | 2019-04-24 | File processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110096877A true CN110096877A (en) | 2019-08-06 |
| CN110096877B CN110096877B (en) | 2021-06-04 |
Family
ID=67445793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910334563.7A Active CN110096877B (en) | 2019-04-24 | 2019-04-24 | File processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110096877B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110569403A (en) * | 2019-09-11 | 2019-12-13 | 腾讯科技(深圳)有限公司 | character string extraction method and related device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7861300B2 (en) * | 2002-05-08 | 2010-12-28 | International Business Machines Corporation | Method and apparatus for determination of the non-replicative behavior of a malicious program |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN103984891A (en) * | 2005-07-29 | 2014-08-13 | Bit9公司 | Network security systems and methods |
| CN104090943A (en) * | 2014-07-01 | 2014-10-08 | 中国工商银行股份有限公司 | Data file processing method, device and system |
| CN108256118A (en) * | 2018-02-13 | 2018-07-06 | 腾讯科技(深圳)有限公司 | Data processing method, device, system, computing device and storage medium |
| CN108446394A (en) * | 2018-03-26 | 2018-08-24 | 网易(杭州)网络有限公司 | The control methods of file difference and device |
| CN109522711A (en) * | 2018-10-22 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of detection defence method, device, equipment and readable storage medium storing program for executing |
-
2019
- 2019-04-24 CN CN201910334563.7A patent/CN110096877B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7861300B2 (en) * | 2002-05-08 | 2010-12-28 | International Business Machines Corporation | Method and apparatus for determination of the non-replicative behavior of a malicious program |
| CN103984891A (en) * | 2005-07-29 | 2014-08-13 | Bit9公司 | Network security systems and methods |
| CN103049695A (en) * | 2012-12-11 | 2013-04-17 | 北京奇虎科技有限公司 | Computer virus monitoring method and device |
| CN104090943A (en) * | 2014-07-01 | 2014-10-08 | 中国工商银行股份有限公司 | Data file processing method, device and system |
| CN108256118A (en) * | 2018-02-13 | 2018-07-06 | 腾讯科技(深圳)有限公司 | Data processing method, device, system, computing device and storage medium |
| CN108446394A (en) * | 2018-03-26 | 2018-08-24 | 网易(杭州)网络有限公司 | The control methods of file difference and device |
| CN109522711A (en) * | 2018-10-22 | 2019-03-26 | 郑州云海信息技术有限公司 | A kind of detection defence method, device, equipment and readable storage medium storing program for executing |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110569403A (en) * | 2019-09-11 | 2019-12-13 | 腾讯科技(深圳)有限公司 | character string extraction method and related device |
| CN110569403B (en) * | 2019-09-11 | 2021-11-02 | 腾讯科技(深圳)有限公司 | Character string extraction method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110096877B (en) | 2021-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11341242B2 (en) | System and method for malware detection on a per packet basis | |
| DE112012002624B4 (en) | Regex compiler | |
| US6549957B1 (en) | Apparatus for preventing automatic generation of a chain reaction of messages if a prior extracted message is similar to current processed message | |
| CN109241087A (en) | A data processing method and terminal of a consortium chain | |
| DE602004011638T2 (en) | Reduce buffering requirements in a messaging system | |
| EP1701285A1 (en) | System security approaches using multiple processing units | |
| US20050278781A1 (en) | System security approaches using sub-expression automata | |
| JP2018508054A (en) | Statistical analysis method for risk assessment of file-based content | |
| CN104065644A (en) | Method and apparatus for recognizing CC attacks based on log analysis | |
| CN102081714A (en) | Cloud antivirus method based on server feedback | |
| CN111970236A (en) | Cross-network data transmission method and device | |
| CN110474837A (en) | A kind of Junk mail processing method, device, electronic equipment and storage medium | |
| CN110096877A (en) | A kind of document handling method and device | |
| CN108234506A (en) | A kind of unidirection insulation network brake and data transmission method | |
| Song et al. | A framework for digital forensic investigation of big data | |
| CN108052826B (en) | Distributed sensitive data scan method and system based on anti-data-leakage terminal | |
| CN111209171B (en) | Closed loop handling method and device for security risk and storage medium | |
| CN102750476A (en) | Method and system for identifying file security | |
| CN115314265A (en) | Method and system for identifying TLS encryption application based on flow and time sequence | |
| CN115208872A (en) | Edge cloud mirror image data processing method and device, computer equipment and storage medium | |
| CN102214184B (en) | Intermediate file processing device and intermediate file processing method of distributed computing system | |
| CN109407626B (en) | Agricultural Information intelligence cloud service platform, intelligent farm and Agricultural Information intelligence system | |
| CN118626982A (en) | A multi-modal anomaly detection method and system for big data network traffic | |
| CN110351273B (en) | Method, device and system for network tracking long chain attack | |
| Febrian et al. | Comparative Analysis of Forensic for Whatsapp Desktop on Mac OS and Windows Using IDFIF V2 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |