CN102982284B - For the scanning device of rogue program killing, cloud management equipment and method and system - Google Patents

Abstract

The invention discloses a scanning device, a cloud management device, a method and a system for scanning and killing malicious programs. Among them, a cloud management device for killing malicious programs, including: a second transmission interface; a first indicator configured to generate the first scan content according to the characteristics of the new malicious program and the system environment information transmitted by the client device indication; the first matcher is configured to obtain the characteristic data of the unknown program file transmitted by the client device through the second transmission interface, and perform matching in the known malicious program characteristic data records accordingly; and the second indication A device configured to generate a second scan content indication when the first matcher fails to match a known record, the second scan content indication includes specified attributes for the unknown program file and/or the context of the unknown program file The specified attributes of the environment are scanned and transmitted to the client device through the second transmission interface.

Description

Scanning device, cloud management device, method and system for malicious program killing

technical field

The invention relates to the technical field of network information security, in particular to a scanning and cloud management device, method and system for scanning and killing malicious programs.

Background technique

Most of the existing malware detection and killing methods use the local engine to scan according to the built-in scanning position, and send the MD5 and other characteristics of the unknown program files that cannot be recognized locally to the cloud server, and the cloud server performs the detection according to the characteristics of the program files sent by the client. Compare and judge whether it is a malicious program. If it is a malicious program, the client's local engine will clean up the malicious program according to the built-in client's local clearing logic. However, in the continuous fierce confrontation between malicious programs and security software, malicious program authors will always find new exploitable points in the operating system and points ignored by security software, thereby bypassing the detection and killing of security software. At this time, after the security vendor gets the sample of the malicious program, it usually needs to modify the local engine to detect and kill the new malicious program. From obtaining the sample to manual analysis and then upgrading the new version of the engine program file to all clients, during this period the malicious program has spread widely.

Contents of the invention

In view of the above problems, the present invention is proposed in order to provide a scanning device for killing malicious programs and a corresponding scanning method that overcomes the above problems or at least partially solves the above problems, as well as a cloud management device and A corresponding cloud management method, and a malicious program scanning system and scanning method based on cloud security.

According to one aspect of the present invention, a scanning device for scanning and killing malicious programs is provided, including: a first transmission interface configured to transmit information to a server-side device and receive information transmitted by the server-side device; environment information reading A fetcher, configured to read the current system environment information of the client device, and transmit it to the server device through the first transmission interface; a first scanner, configured to obtain at least the system environment information of the server device through the first transmission interface The information judges the first scan content indication, and scans the specified position in the first scan content indication, and at least transmits the characteristic data of the unknown program file obtained through the scan to the server-end device through the first transmission interface; and the second scan The device is configured to obtain a second scan content indication transmitted by the server-end device through the first transmission interface, the second scan content indication includes scanning specified attributes of unknown program files and/or specified attributes of context environments of unknown program files, And scan according to the second scan content instruction.

According to another aspect of the present invention, there is provided a cloud management device for killing malicious programs, including: a second transmission interface configured to transmit information to a client device and receive information transmitted by the client device; The indicator is configured to generate a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, the first scanning content indication at least includes scanning the content of a specified location and notifying the scanned unknown program file feature data, and transmit the first scan content indication to the client device through the second transmission interface; the first matcher is configured to obtain the feature data of the unknown program file transmitted by the client device through the second transmission interface, and according to This performs a match in known malicious program signature data records; and a second indicator configured to generate a second scan content indication when the first matcher fails to match a known record, the second scan content indication includes a reference to The specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file are scanned, and transmitted to the client device through the second transmission interface.

According to yet another aspect of the present invention, a malicious program scanning system based on cloud security is provided, including any of the above scanning devices for scanning and killing malicious programs, and any of the above cloud management devices for scanning and killing malicious programs equipment.

According to yet another aspect of the present invention, a cloud management method for scanning and killing malicious programs is provided, including: generating a first scan content indication according to the characteristics of new malicious programs and the system environment information transmitted by the client device, the first scanning The content indication at least includes scanning the content of the specified location and notifying the characteristic data of the scanned unknown program file, and transmitting the first scanned content indication to the client device; obtaining the characteristic data of the unknown program file transmitted by the client device, and Accordingly, matching is performed in the known malicious program killing database; and when a known record cannot be matched according to the feature data of the unknown program file, a second scanning content indication is generated, and the second scanning content indication includes an indication of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and transmit the second scanned content indication to the client device.

According to yet another aspect of the present invention, a method for scanning malicious programs based on cloud security is provided, including: the client device reads the current system environment information and transmits it to the server-end device; Generate a first scan content indication with the system environment information transmitted by the client device, the first scan content indication at least includes scanning the content of the specified location and notifying the feature data of the scanned unknown program file, and transmitting the first scan content indication to the client device; the client device scans according to the first scanning content instruction, and at least transmits the characteristic data of the unknown program file obtained through scanning to the server device; Matching is performed in the program killing database; when a known record cannot be matched according to the characteristic data of the unknown program file, the server-side device generates a second scanning content indication, and the second scanning content indication includes the specified attribute and/or of the unknown program file or the specified attribute of the context environment of the unknown program file, and transmit the second scan content indication to the client device; the client device scans according to the second scan content indication.

According to the embodiments provided by the present invention, it can be seen that it is impossible to judge whether it is a malicious program or to find out the exact feature data (such as file name, MD5, SHA1 or other features calculated according to the content of the file, etc.) When repairing the solution, you can make further judgments by requiring the client device to further scan the specified attributes such as the signature and version of the unknown program file and/or the attributes of the context environment of the unknown program file, so that the client itself can be more accurately judged. Unknown program file that could not be determined to be safe. Because of this solution, the cloud server sends personalized scanning content in time, and dynamically obtains the killing method from the server side according to the attributes of the program file and the attributes of the context environment, avoiding the need to upgrade the local feature library and engine program. Detect and remove new malicious programs, thereby speeding up the attack on new malicious programs and effectively curbing their rapid spread.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

Fig. 1 shows a malicious program scanning system based on cloud security according to an embodiment of the present invention;

FIG. 2 shows a flowchart of a method for scanning malicious programs based on cloud security according to an embodiment of the present invention; and

Fig. 3 shows a flowchart of a method for detecting and killing malicious programs based on cloud security according to yet another embodiment of the present invention.

detailed description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Embodiments of the invention may be applied to computer systems/servers that are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments and/or configurations suitable for use with computer systems/servers include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, Microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, and distributed cloud computing technology environments including any of the above, etc.

Computer systems/servers may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc., that perform particular tasks or implement particular abstract data types. The computer system/server can be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computing system storage media including storage devices.

Please refer to FIG. 1 , which shows a malicious program scanning system based on cloud security according to an embodiment of the present invention, including a scanning device 110 for checking and killing malicious programs, and a cloud management device 210 for checking and killing malicious programs. Wherein, the scanning device 110 can be set on the client, such as the client device 100 , and the cloud management device 210 can be set on the server, such as the server device 200 . The scanning device 110 can communicate with the cloud management device 210, specifically, the first transmission interface 112 in the scanning device 110 can transmit information to the server device 200, and receive the information transmitted by the server device 200; The second transmission interface 218 can transmit information to the client device 100 and receive information transmitted by the client device 100 . Wherein, the scanning device 110 may include an environment information reader 112 , a first scanner 114 , a second scanner 116 and a first transmission interface 118 . The cloud management device 210 may include a first indicator 212 , a first matcher 214 , a second indicator 216 and a second transmission interface 218 .

First, the environment information reader 112 reads the current system environment information of the client device 100 and transmits it to the second transmission interface 218 of the server device 200 through the first transmission interface 118 . The current system environment information of the client device 100 may include many, such as any one or more of operating system version information, system patch installation information, software installation information, driver installation information, and active process and service information. Among them, there are many kinds of operating systems, such as windows98, windows2003, windowsXP, and WindowsVista, etc., and the version information corresponding to different operating systems is also different. Therefore, through the version information of the operating system, the server device 200 can know the current operating system of the client device 100. Which specific version of the operating system. The active process is the running process in the system. You can query the various running process information and process-related identifiers in the system by calling the corresponding API (Application Programming Interface, application programming interface) function and other means. , user name, cpu usage rate, memory usage rate, description information, etc. After the client device 100 initializes the local engine and the network environment, the environment information reader 112 can read the current system environment information and transmit it to the server device 200 .

After receiving the current system environment information of the client device 100, the second transmission interface 218 in the cloud management device 210 located in the server device 200 transmits it to the first indicator 212, and then the first indicator 212 according to the new malicious program The characteristics and system environment information transmitted by the client device 100 generate a first scan content indication. Among them, there are many kinds of characteristics of the new malicious program, for example, according to the trend analysis of the latest malicious program, the characteristic information of the new malicious program using a specific location to hide and/or attack, such as the location usually used by the new malicious program, such as a certain The installation directory of the game, the installation directory of commonly used software, some specific registry entries, etc. Furthermore, the server-side device 200 can give a personalized scanning content indication for the client device according to the hidden and/or attack location usually used by the newly-born malicious program, combined with the current system environment information reported by the client device, that is, the first A scan content indication. For example, through the software installation information reported by the client device 100, it is found that the client device 100 has installed a certain game software, and according to the characteristics of new malicious programs, it is known that many malicious programs currently use the installation directory of the game software to hide or maliciously replace file, the server device 200 will request the client device 100 to scan the content under the game installation directory in the first scanning content instruction, so as to find suspicious unknown program files in the client device 100 . It can be seen that since the first scan content indication is not only based on the characteristics of the new malicious program mastered by the server, but also combined with the specific system environment information of the client device 100, the first scan content indication is personalized and targeted Yes, the first scan content indications issued for different client devices 100 are often different.

The first scanning content indication at least includes scanning the content of the specified location and requiring notification of the feature data of the scanned unknown program file. Specifically, the first scanning content indication may be based on the characteristics of the new malicious program and the client device 100 is a piece of text or script generated by the current system environment information, that is, through this instruction, the client device 100 can be informed of what content needs to be scanned and what scanning results should be reported.

It should be noted that the first scan content indication may be an indication without any condition, or an indication with a condition. If it is a conditional instruction, the scanning device 110 in the client device 100 will scan according to the first scanning content instruction only when the preset condition is satisfied. There are many conditions that can be attached to the first scan indication, such as including but not limited to one or more of the following: whether the specified file exists, whether the specified directory exists, whether the attributes of the program file meet the specified conditions (such as message digest MD5 Whether it is a specified value), whether the specified registry key exists, whether the specified registry key exists, whether the content of the registry key meets the specified condition, whether the content of the registry key meets the specified condition (such as whether it contains or is equal to a specific string or a certain value), whether the specified process exists, whether the specified service exists, and whether the specified service meets the specified conditions (such as whether it is a specific service name, a specific service description, or a specific display name), etc.

After the first pointer 212 generates the first scan content indication, the server transmits the first scan content indication to the first transmission interface 118 in the client device 100 through the second transmission interface 218 .

Then, the first transmission interface 118 of the scanning device 110 located in the client device 100 notifies the first scanner 114 of the received first scanning content indication determined by the server device 200 at least based on the system environment information. Furthermore, the first scanner 114 scans the specified position in the first scan content indication. As mentioned above, the first scan content indication can be a conditional indication, or called a scan condition, then the first scanner 114 needs to first judge whether the scan conditions attached to the first scan content indication are satisfied, such as those mentioned above Optional conditions. When the first scanner 114 judges that the conditions attached to the first scanning content are satisfied, it scans the specified position indicated in the first scanning content. Of course, if the first scan content indication is not conditional, the first scanner 114 does not need to make a judgment first, and can directly scan according to the scan position indicated in the first scan content.

Optionally, in addition to performing a personalized scan in the client device 100 according to the first scan content instruction, the first scanner 114 can also perform a regular scan on the built-in scan location of the local engine of the client device 100 .

Unknown program files will be found after the first scanner 114 completes the scan, and then the characteristic data of the unknown program files are extracted. There can be many kinds of characteristic data, such as one or more of the following information: Or part of the key content (that is, a part of the content extracted from the file) is calculated according to a specific algorithm (such as MD5, SHA1 or other algorithms) and the file name. The characteristic data of the program file can be understood as the basic attribute information of the program file. After the first scanner 114 obtains the characteristic data of the unknown program file, it transmits the characteristic data of the unknown program file to the second transmission interface 218 in the server-end device 200 through the first transmission interface 118 .

Furthermore, the second transmission interface 218 on the server side provides the characteristic data of the received unknown program file to the first matcher 214, and the first matcher 214 performs matching in the database of known malicious program killings accordingly. Some characteristic information of the malicious program is recorded in , in addition, the judgment logic for judging whether it is a malicious program, and possible killing methods (such as repair logic) can also be recorded. Among them, the characteristics of malicious programs can include a lot of information, such as file name, program file summary, file size, signature information, version information and other file attribute information. For example, it can also include the directory where the file is located, the startup location in the registry, The context environment attributes of program files such as the attributes of other files in the same directory or in the specified directory. Because the existing malicious programs are relatively complex, it is often impossible to accurately judge whether they are malicious programs based on only one or two features. In many cases, it is necessary to make a comprehensive judgment based on multiple features. The logic of this comprehensive judgment of whether an unknown program file is a malicious program is the aforementioned judgment logic. Killing methods include but are not limited to scan/judgment and repair operations. Since the server-side storage capacity, calculation capacity, ability to collect malicious program feature information, and update speed are far stronger than those of the client, therefore, when the client device 100 cannot determine an unknown program file based on the local engine, the server-side device 200 can Judging from known databases.

If the first matcher 214 successfully matches in the known malicious program killing database, it can judge whether the unknown program file is a malicious program. Optionally, in some cases, it can also match the corresponding repair logic. The judgment result and corresponding repair logic are fed back to the first transmission interface 118 of the client device 100 through the second transmission interface 218 . Optionally, the client device 100 also includes a killing device, and the first transmission interface 118 in the client device 100 notifies the server device 200 of the judging result and repair logic of whether the unknown program file is a malicious program based on the characteristics of the unknown program file. The anti-killer, the anti-killer executes the corresponding operation. For example, if the judgment result finds that the unknown program file is a malicious program, the anti-virus device repairs the unknown program file according to the repair logic returned by the server device 200 . Repair processing includes, but is not limited to, deleting specified registry keys/values, modifying registry keys/values with specified content, deleting specified system service items, repairing/deleting specified program files, etc.

When it comes to repairing specified program files, there are many repair schemes depending on the type of files to be repaired. For example, some of the files that need to be repaired are system files, some are program files of commonly used software, and some are general files. The basic principle of repairing these program files is similar. Usually, the server side performs matching in the cloud database according to some attribute information of the program files to be repaired by the client to find out whether there are matching program files that are not infected with viruses. Provided to the client for replacement, thus completing the repair. When matching different files, different matching conditions can be set according to actual needs. For example, if it is a system file, you can require that the various attribute information of the file (such as file name, version information, etc.) Replacement files for repair; and for non-system general files, if the basic version or standard version is stored in the cloud database, the matching can also be considered successful. In addition, even if they are also system files or non-system general files, different matching conditions can be set according to different actual application environments, different requirements, or different operating systems of the files. For example, a system file may be matched only if all attributes such as the file name and version information are consistent for a certain system file. is a successful match.

Let's take a commonly used software damaged by a Trojan horse as an example to describe in detail how to replace the program file during the repair process. For example, after a Trojan horse destroys a program file of a certain commonly used software, the information of the original program file is no longer available. In this case, the server device 200 can know which replacement files need to be provided for the client device 100 through the information about the software provided by the client device 100 before, such as software name, version, version of the program file, directory, etc. And then according to information such as file name, version, carry out matching in the cloud database, find out the replacement file that is not infected with the virus and match and provide to the client device 100, then the client device 100 compares the non-infected virus provided by the server device 200 with this Just replace the original damaged program file with the program file consistent with the machine.

If the first matcher 214 fails to match successfully in the known malicious program killing database, that is, it cannot be accurately matched according to the characteristic data of the unknown program file, it will notify the second indicator 216, and then the second indicator 216 will be based on the unknown program file. Based on the basic information provided by the characteristic data of the program file and the characteristics of known emerging malicious programs, the second scanning content indication is continuously generated. Because the basic attribute information such as the characteristic data of the unknown program file has been known through the first indicator, and then combined with the characteristics of the current malicious program, for example, if this type of unknown program file is a malicious program, what characteristics do it generally have, such as the unknown program The signature information of the file may not be the specified name, and other file attributes in the directory where the unknown program file is located or related directories may be specified attributes, etc.

Specifically, the second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file. For example, the second scanning content instruction may only require the client device 100 to scan and report the specified attribute of the unknown program file, or may only require the client device 100 to scan and report the specified attribute of the context environment of the unknown program file, or may require the client device 100 to scan and report the specified attribute of the unknown program file. The device 100 reports other specified attributes together with the specified attributes of the context environment.

It should be noted that the specified attributes of the unknown program file include but are not limited to one or more of the following information: feature data, file size, security level, signature information, and version information. It should be noted that although the client device 100 has previously reported the basic attribute of characteristic data of unknown program files after scanning according to the first scan content on the server side, the client device 100 and the server device 200 may not have long Therefore, when the subsequent client device 100 reports the specified attribute information of the unknown program file after scanning according to the second scanning content instruction of the server, it may need to report the basic information such as the characteristic data of the unknown program file again. Therefore, in the second scanning content indication, there may be content requiring to scan and report other specified attributes other than characteristic data of unknown program files, and content requiring to scan and report characteristic data of unknown program files. Of course, if there is a persistent connection between the client device 100 and the server device 200, then the second scanning content instruction may not require the client device 100 to report the basic information such as the characteristic data of the previously reported unknown program file. The security level includes but is not limited to malicious (that is, belongs to the blacklist), safe (that is, belongs to the whitelist and is trusted), unknown, and suspicious. The attributes of the context environment of the unknown program file include but are not limited to one or more of the following information: information about the directory where the unknown program file is located, information about the specified registry key value, the same directory as the unknown program file or a specified directory Attribute information of other files under , as well as the running status of the specified process, etc.

After the second pointer 216 generates the second scanning content indication, it transmits to the first transmission interface 118 in the client device 100 through the second transmission interface 218, and then the first transmission interface 118 notifies the second scanning content indication to the second scanner 116 . The second scanner 116 then scans the specified attribute information of the unknown program file and/or the attribute information of the context environment according to the second scanning content instruction, and finally transmits the scanning result to the second transmission interface 218 of the server-end device 200 .

In one embodiment of the present invention, the second transmission interface 218 notifies the second indicator 216 of the received scanning result provided by the second scanner 116, and then the second indicator 216 searches for known malicious programs accordingly. Analysis and comparison in the anti-virus database. The specific content of the anti-malicious program database has been given above. It can be seen from this that because the scanning result of the unknown program file provided by the client device 100 contains more information, such as containing The signature information, security level, version information and other attributes of the unknown program file, or various attribute information of the context environment of the unknown program file, or other attributes of the unknown program file and the attributes of the context environment are all scanned, then The second indicator 216 can further analyze and judge whether the unknown program file is a malicious program file based on these more comprehensive information, and the characteristic information and judgment logic in the malicious program killing database, if it is judged to be a malicious program, it can further check whether There is a corresponding repair logic. Repair logic includes, but is not limited to, one or more of the following logic: delete specified registry keys and/or key values, modify registry keys and/or key values to specified content, delete specified system service items, and repair or Delete the specified program file.

Furthermore, the second indicator 216 transmits the judgment result of whether the unknown program file is a malicious program file to the client device 100 through the second transmission interface 218 . Further, if the judging result is a malicious program, and the matching repair logic can be found in the known malicious program killing database, then the matching repair logic is also transmitted to the client device through the second transmission interface 218 .

The scanning device 110 of the client further includes a first processor, the first processor obtains the judgment result of whether the unknown program file provided by the second indicator in the server device 200 is a malicious program file through the first transmission interface 118, and according to the judgment result The results are processed accordingly. For example, if the judging result is a safe program file, then there is no need to check and kill the unknown program file; if the judging result is a malicious program, and the second indicator 216 provides repair logic, the user can be prompted and asked whether Repairing is performed, and the unknown program file is repaired according to the repairing logic after confirmation from the user.

In another embodiment of the present invention, in order to reduce the communication between the client device 100 and the server device 200, the second indicator 216 may also communicate with The second scan content indicates the relevant judgment logic, and even the repair logic related to the judgment logic is sent to the client device 100 . Specifically, because the second scanning content indication mainly includes scanning other specified attributes other than the feature data of the unknown program file and/or the specified attribute of the context environment of the unknown program file, the server can predict that the client device 100 will follow the specified attribute of the unknown program file. The second scanning content indicates which scanning results may be obtained after scanning, and then according to the malicious program killing database, it can be judged what kind of scanning results indicate that the unknown program file is a malicious program, so the judgment related to the second scanning content indication can be found Logic, that is, how to determine whether the unknown program file is a malicious program according to the subsequent scanning results. If it is a malicious program, it may further check whether there is repair logic related to the above-mentioned second scanning content indication and judgment logic according to the known malicious program killing database.

The scanning device 110 on the client side may also include a second processor, the second processor obtains the judgment logic related to the second scan content indication provided by the second indicator 216 on the server side through the transmission interface 118, and then according to the judgment logic and the first The second scanner 116 judges whether the unknown program file is a malicious program according to the scanning result obtained after scanning according to the second scanning content instruction, and performs corresponding processing. For example, if it is judged that the unknown program file is a malicious program, and the second indicator 216 on the server side also sends repair logic related to the judgment logic, then the scanning result provided by the second scanner 116 may satisfy the repair logic , and perform corresponding repair processing according to the repair logic. The specific content of the rest of the processing is similar to the corresponding processing performed by the first processor in the previous embodiment, and will not be repeated here. It can be seen that in this embodiment, the second scanner 116 no longer needs to upload the result of scanning the unknown program file according to the second scanning content instruction to the server device, but directly provides it to the second processor That's it.

It can be seen from the above embodiments that if the scanning device 110 only includes the environment information reader 112, the first scanner 114, the second scanner 116 and the first transmission interface, then it is a pure malicious program scanning device. Including the first processor or the second processor, the scanning device is essentially a device capable of scanning and killing malicious programs, which can be understood as a scanning and killing device for malicious programs.

Please refer to FIG. 2 , which shows a flowchart of a method for scanning malicious programs based on cloud security according to an embodiment of the present invention. The method includes a part of the process on the client side and a part of the process on the server side. The process on the client side is a scanning method for checking and killing malicious programs, and the process on the server side is a scanning method for malicious programs. A cloud management method for program killing.

The method starts with step S210, in which the current system environment information of the client device is read and transmitted to the server device. System environment information includes, but is not limited to, any one or more of operating system version information, system patch installation information, software installation information, driver installation information, and active process and service information. This step can be implemented by the aforementioned environmental information reader 112 in the scanning device 110 , and related technical implementations can refer to the related descriptions of the aforementioned environmental information reader 112 in various embodiments, which will not be repeated here.

Then, in step S220, the server-side device obtains the system environment information of the client device, and generates a first scan content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, and the first scan content indication includes at least the specified The content of the location is scanned and the characteristic data of the scanned unknown program file is notified, and the indication of the first scanned content is transmitted to the client device. This step can be implemented through the aforementioned first indicator 212 in the cloud management device 210 located at the server side. For related technical implementation, please refer to the descriptions of the first indicator 212 in the aforementioned embodiments, and details will not be repeated here.

After the client device obtains the first scan content indication judged by the server-side device based on the uploaded system environment information in step S220, it scans the specified position in the first scan content indication in step S230, and at least scans the obtained The feature data of the unknown program file is then transmitted to the server-side device, so that the server-side device can make further judgments based on it. This step can be implemented by the first scanner 114 located in the scanning device 110 of the client. For the implementation of related technologies, please refer to the description of the first scanner 114 in the foregoing embodiments, which will not be repeated here.

After the server-side device obtains the characteristic data of the unknown program file transmitted by the client device through step S230, in step S240, according to the characteristic data of the unknown program file, it is matched in the known malicious program killing database to judge the unknown program file Is it a malicious program. If the matching is successful, it is judged that the unknown program file is a malicious program, then you can further search whether there is a corresponding repair logic, if there is, you can transmit the judgment result and repair logic to the client; if no corresponding repair logic is found logic, then only the judgment result can be transmitted to the client device. This step can be implemented by the aforementioned first matching unit 214 in the cloud management device 210 located at the server side. For related technical implementations, please refer to the descriptions of the first matching unit 214 in the aforementioned embodiments, which will not be repeated here.

If the server-side device cannot match a known record according to the known malicious program killing database, that is, it cannot determine whether the unknown program file is a malicious program, then in step S250, a second scan content indication is generated, and the second scan content indication includes Scan the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and then transmit the second scan content indication to the client device. It can be seen that the reason why the server device still sends the second scanning content indication to the client device is to obtain more information related to unknown program files for further judgment. This step can be implemented through the aforementioned second indicator 216 in the cloud management device 210 located at the server side. For related technical implementations, please refer to the descriptions of the first indicator 212 in the aforementioned embodiments, which will not be repeated here.

After obtaining the second scanning content indication in step S250, the client device scans according to the second scanning content indication in step S260, so as to obtain the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file. For example, the specified attributes of the unknown program file include but are not limited to one or more of the following information: feature data, file size, security level, signature information, and version information of the unknown program file. For another example, the attributes of the context environment of the unknown program file include but are not limited to one or more of the following information: information about the directory where the unknown program file is located, information about the startup location in the registry, information about the same directory as the program file, or Attribute information of other files in the specified directory, and the running status of the specified process, etc.

After step S260, in one embodiment of the present invention, firstly, the client device transmits the scan result after scanning according to the second scan content instruction to the server device, and this step can be performed through the second scan in the foregoing embodiments. The relevant technical features can refer to the description of this component, and will not be repeated here; furthermore, after the server-side device obtains the scan result obtained by the client device according to the second scan content instruction, it will scan the malicious program according to the scan result. Further analyze and compare in the killing database, judge again whether the unknown program file is a malicious program, and then transmit the judgment result (such as malicious, safe, unknown, suspicious) and/or the repair logic matching the scanning result to the client equipment. Executing this step on the server side can be performed through the second indicator 216 in the cloud management device 210 in the foregoing embodiments. For related technical features, please refer to the description of this component, which will not be repeated here. It should be noted that not all cases where a malicious program is judged to be a malicious program can find the corresponding repair logic, so if found, the judgment result and repair logic can be transmitted to the client device together; if no repair logic is found In this case, only the judgment result can be transmitted to the client for its or the user’s reference; it is also possible to transmit only the repair logic, because the client can understand that the unknown program file is a malicious program after receiving the repair logic, otherwise the server device will not send Its feedback is for the repair logic of the unknown program file. After the client device obtains the judging result of whether the unknown program file fed back by the server device is a malicious program, it can perform corresponding processing according to the judging result. For example, remind the user through security reminders such as pop-up windows, or perform repair processing according to the repair logic after the user confirms. The client device may execute this step through the first processor in the scanning device 110 in the foregoing embodiments. For related technical features, please refer to the description of this component, which will not be repeated here.

It can be seen from the description of the subsequent steps in this embodiment that the client device needs to transmit the scan results to the server device at least twice, so that the server device can make a judgment based on the scan results. In order to reduce the number of communications between the client device and the server device and improve efficiency, the following process may also be used in another embodiment of the present invention.

In yet another embodiment of the present invention, in the aforementioned step S250, in addition to generating the second scanning content instruction and sending it to the client device, the server device also scans and kills the database according to known malicious programs to obtain and The second scan content indicates related judgment logic and/or repair logic, and then transmits the judgment logic and/or repair logic together with the second scan content indication to the client device. This step can be implemented through the second indicator 216 in the cloud management device 210 of the above-mentioned embodiments, and related technical implementation can refer to the relevant description of this component, and will not be repeated here. It can be seen that after step S250, the client device has at least received the second scan content indication and the judgment logic related to the second scan content indication, and may also have received the repair logic related to the second scan content indication. , so after the client device scans according to the second scan content instruction to obtain the scan result in step S260, the client device can judge the unknown Whether the program file is a malicious program, if so, further check whether the server-side device also transmits relevant repair logic at the same time, if so, continue to repair the unknown program file according to the repair logic, such as deleting the specified registry key and/or key value, modify registry keys and/or key values to specified content, delete specified system service items, and repair or delete specified program files, etc. This step can be executed by the second processor in the scanning device 110 of the above embodiments, and related technical implementation can refer to the relevant description of the above step, which will not be repeated here.

In yet another embodiment of the present invention, a method for checking and killing malicious programs based on cloud security is provided, please refer to the flowchart shown in FIG. 3 .

The process begins with step S310, the client initializes the local engine and network environment.

Then, step S320 is executed, the client reads the system environment information and sends it to the server.

Furthermore, step S330 is executed, the server side makes a judgment according to the system environment information of the client side and the preset scanning content conditions, and sends the content to be scanned to the client side. The content to be scanned here is equivalent to the first scan content indication in the foregoing embodiments.

Then execute step S340, the client executes the scan content built in the local engine and the scan content returned by the server to obtain the characteristics of the unknown program file, such as file name, MD5 or SHA.

Then step S350 is executed, the client device sends the characteristics of the unknown program file to the server.

Thereafter, step S360 is executed, and the server searches the database according to the characteristics of the program file and/or the attributes of the context environment of the program file.

Then enter step S370, judge whether to find matching records in the database, that is, whether to find the corresponding killing method, including but not limited to scanning/judgment action and repair action. If a matching record is found, execute step S380; if no matching record is found, execute step S400.

Step S380: the server returns the corresponding killing method to the client. Then step S390 is executed.

Step S390: the client performs corresponding actions according to the killing method returned by the server. Then it's over.

Step S400: the server determines whether to further check other attributes of the unknown program file of the client, such as attributes other than the features of the unknown program file fed back in step S350, and/or attributes of the context of the unknown program file. If yes, proceed to step S410; if no, end directly.

Step S410: The client collects the required specified attributes of the program file and the attributes of its context environment according to the inspection conditions returned by the server, and then sends them to the server. Then return to step S360 until the process ends.

In yet another embodiment of the present invention, a specific example of checking and killing malicious programs is given. For example, an audio-visual software xxxUpdate.exe will load xxxUpdate.dll in the same directory. This audio-visual software is a software with a very large amount of installations in China, but it has not done enough protection and anti-tampering checks for its own program files, so malicious programs m can take advantage of this security hole in the audio-visual software to replace xxxUpdate.dll with a malicious program. The detection and killing steps of this solution are as follows:

First, the client sends the file name and MD5 value of xxxUpdate.dll to the server;

Then, the server end matches the file name and MD5 value to find that there is a corresponding killing method, so it further sends a scanning instruction (equivalent to the second scanning content instruction in the foregoing embodiments), judgment logic and repair logic to the client. Among them, the scan instruction requires checking whether the security level of this file is trusted, and whether the company signature name of the file is "Beijing xxx Co., Ltd."; the judgment logic indicates that if the security level of this file is not trusted, and the company signature If the name is not "Beijing xxx Co., Ltd.", it is judged that the file has been tampered with by a malicious program and is a malicious program; the corresponding repair logic points out that if the scan result satisfies the judgment logic and the file is judged to be a malicious program, the corresponding repair action is to prohibit xxxUpdate The .exe starts with the system and replaces xxxUpdate.dll with the original file.

Finally, the client scans the file according to the above scanning content, and judges whether the file is a malicious program according to the scanning result and the judgment logic provided by the server. If so, the malicious program is reported to the user. When the user chooses to clear Execute the killing action returned by the server, such as repair processing.

In another embodiment of the present invention, the client device does not report the current system environment information to the server device, and the server does not need to generate the first scan content indication according to the system environment information reported by the client device, and then Let the device on the client end scan according to the first scanning content instruction. Instead, the client device scans directly according to the known scanning logic (such as the scanning logic of the local engine or the scanning logic notified by the server before), and then directly reports the suspicious unknown program files that cannot be judged whether they are safe or not. To the server-side device, other processing procedures are the same as those described in the foregoing embodiments, so details are not repeated here.

It can be seen from the various embodiments provided by the foregoing invention that in the embodiment of the invention, when it is impossible to judge whether it is a malicious program or not to find an accurate repair solution only through the file name, MD5, SHA, etc. of the suspicious unknown program file, it can be used again. Further judgments can be made by requiring the client device to further scan the signature, version and other attributes of the unknown program file and/or the attributes of the context of the unknown program file, so that the unknown program that the client cannot determine whether it is safe or not can be more accurately judged document. Due to the adoption of this scheme, no matter whether the client sends the various attribute results of further scanning to the server for judgment, or the server directly sends the judgment logic and repair logic related to the scanning results to the client, let itself Judgment, the essence is that the cloud server sends personalized scanning content in a timely manner, and dynamically obtains the killing method from the server side according to the attributes of the program file and the attributes of the context environment, avoiding the need to upgrade the local feature library and engine program to detect And remove new malicious programs, thereby speeding up the attack on new malicious programs, effectively curbing their rapid spread.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any one of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the scanning device or cloud management device for malicious program killing according to the embodiment of the present invention Some or all of the features of the component. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

This paper discloses A1, a scanning device for scanning and killing malicious programs, including: a first transmission interface configured to transmit information to a server-side device and receive information transmitted by the server-side device; an environment information reader , configured to read the current system environment information of the client device, and transmit it to the server device through the first transmission interface; the first scanner, configured to obtain the system environment information through the first transmission interface The server-end device at least based on the first scan content indication judged by the system environment information, scans the specified position in the first scan content indication, and at least passes the feature data of the unknown program file obtained through the scan through the The first transmission interface is transmitted to the server-end device; and the second scanner is configured to obtain a second scan content indication transmitted by the server-end device through the first transmission interface, and the second scan content indication includes Scan the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and scan according to the second scanning content instruction. A2. According to the scanning device described in A1, the second scanner is further configured to transmit the scanning result after scanning according to the second scanning content instruction to the server-end device through the first transmission interface The scanning device further includes: a first repairer, configured to obtain the repair logic determined by the server-side device based on the scanning result provided by the second scanner through the first transmission interface, and according to the repair The logic repairs the unknown program file. A3. The scanning device according to A1, further comprising: a second restorer, configured to obtain, through the first transmission interface, the information transmitted together with the second scanning content indication from the server-side device and the second scanning content indication. The second scan content indicates related repair logic, and when the scanning result of the second scanner satisfies the repair logic, the unknown program file is repaired. A4. According to the scanning device described in A2 or A3, the repair process includes one or more of the following processing methods: delete the specified registry key and/or key value, modify the registry key and/or key value Specify content, delete specified system service items, and repair or delete specified program files. A5. According to the scanning device described in any one of A1 to A4, the environmental system information includes one or more of the following information: version information of the operating system, system patch installation information, software installation information, driver installation information and information about processes and services running on the system. A6. The scanning device according to any one of A1 to A5: the feature data of the program file includes one or more of the following information: a specific algorithm is used for all or part of the key content of the unknown program file The obtained data, file name; the specified attribute of the unknown program file includes one or more of the following information: characteristic data, file size, security level, signature information and version information. A7. According to the scanning device described in any one of A1 to A6, the attribute of the context environment of the unknown program file includes one or more of the following information: information of the directory where the unknown program file is located, the registry Information about the starting location in the program file, attribute information of other files in the same directory as the program file or in the specified directory, and the running status of the specified process.

This article discloses B8, a cloud management device for malicious program detection and killing, including: a second transmission interface configured to transmit information to a client device and receive information transmitted by the client device; a first indicator , configured to generate a first scan content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, the first scan content indication at least includes scanning the content of a specified location and notifying the scanned unknown feature data of the program file, and transmit the first scanned content instruction to the client device through the second transmission interface; the first matcher is configured to obtain the client device through the second transmission interface The feature data of the unknown program file transmitted by the device, and matching is performed in the known malicious program feature data record; and the second indicator is configured to when the first matcher fails to match the known generating a second scanning content indication during recording, the second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and passing the second transmission interface to the client device. B9. The cloud management device according to B8: the second indicator is further configured to obtain the scan result obtained by the client device after scanning according to the second scan content instruction through the second transmission interface, and Based on this, it is judged whether the unknown program file is a malicious program, and the judgment result is transmitted to the client device through the second transmission interface; or, the second indicator is further configured to communicate with the second The judgment logic related to the scanning content indication is transmitted to the client device through the second transmission interface together, the judgment logic is the logic used to judge whether the unknown program file is a malicious program. B10. According to the cloud management device described in B9, the second indicator is further configured to scan and kill known malicious programs according to the scan results obtained after the client device scans according to the second scan content instruction Matching is performed in the database, and if a repair logic matching the scanning result is found, it is transmitted to the client device through the second transmission interface; or, the second indicator is also configured to The content indication is matched in the known malicious program killing database, and the matched repair logic related to the second scanning content indication and the second scanning content indication are transmitted to the computer via the second transmission interface. the client device described above. B11. According to the cloud management device described in any one of B8 to B10, the characteristics of the new malicious program include: feature information that the new malicious program uses a specific location to hide and/or attack. B12. According to the cloud management device described in any one of B8 to B11, the first scan content indication is a conditional indication, and the conditions include one or more of the following: whether the specified file exists, Whether the specified directory exists, whether the attributes of the program file meet the specified conditions, whether the specified registry key exists, whether the specified registry key value exists, whether the content of the registry key meets the specified condition, whether the content of the registry key meets the specified condition, Whether the specified process exists and whether the specified service exists. B13. According to the cloud management device described in any one of B8 to B12, the repair logic includes one or more of the following logics: delete the specified registry key and/or key value, modify the registry key and /or the key value is the specified content, deletes the specified system service item, and repairs or deletes the specified program file. B14. According to the cloud management device described in any one of B8 to B13, the feature data of the unknown program file includes one or more of the following information: all or part of the key content of the unknown program file is adopted The data obtained by a specific algorithm, the file name; the specified attribute of the unknown program file includes one or more of the following information: feature data, file size, signature information, and version information. B15. According to the cloud management device described in any one of B8 to B14, the attributes of the context of the unknown program file include one or more of the following information: information about the directory where the unknown program file is located, security Level information, information about the starting location in the registry, attribute information of other files in the same directory as the program file or under the specified directory, and the running status of the specified process.

This paper discloses C16, a malicious program scanning system based on cloud security, including the scanning device for killing malicious programs as described in any one of A1 to A7, and the scanning device as described in any one of B8 to B15 A cloud-based management device for malicious program scanning and killing.

This article discloses D17, a scanning method for killing malicious programs, including: reading the current system environment information of the client device and transmitting it to the server device; obtaining the server device's judgment based on the system environment information The first scan content indication of the first scan content indication, and scan the specified position in the first scan content indication, and at least transmit the characteristic data of the unknown program file obtained by scanning to the server-end device; and obtain the server-end device The transmitted second scanning content indication, the second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and according to the second scanning content Indicates to scan. D18. The scanning method according to D17, further comprising: transmitting the scanning result after scanning according to the second scanning content instruction to the server-end device; obtaining the unknown program determined by the server-end device based on the scanning result Whether the file is a judgment result of a malicious program, and perform corresponding processing according to the judgment result; or, obtain the judgment logic related to the second scanning content indication notified by the server-end device, and according to the second scanning content Instruct the scanning result after scanning and the judging logic to determine whether the unknown program file is a malicious program, and perform corresponding processing.

This paper discloses E19, a cloud management method for scanning and killing malicious programs, including: generating a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, the first scanning content indication is at least Including scanning the content of the specified location and notifying the feature data of the scanned unknown program file, and transmitting the first scanned content instruction to the client device; obtaining the unknown program file transmitted by the client device feature data of the unknown program file, and accordingly perform matching in the known malicious program scanning and killing database; and when the feature data of the unknown program file fails to match a known record, generate a second scan content indication, the first The second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and transmitting the second scanning content indication to the client device. E20. The cloud management method according to E19, further comprising: obtaining the scan result obtained by the client device after scanning according to the second scan content instruction, and judging accordingly whether the unknown program file is a malicious program, and The judgment result and/or the repair logic matching the scan result are transmitted to the client device; or, the judgment logic and/or repair logic related to the second scan content indication are combined with the second scan content Instructions are transmitted to the client device together.

This article discloses F21, a malicious program scanning method based on cloud security, including: the client device reads the current system environment information and transmits it to the server device; The system environment information transmitted by the device generates a first scan content indication, the first scan content indication at least includes scanning the content of the specified location and notifying the characteristic data of the scanned unknown program file, and the first scan content indication transmitted to the client device; the client device scans according to the first scanning content instruction, and at least transmits the characteristic data of the unknown program file obtained through scanning to the server device; The feature data of the unknown program file is matched in the known malicious program killing database; when the feature data of the unknown program file fails to match a known record, the server-side device generates a second scanning content Instructing that the second scan content indication includes scanning a specified attribute of the unknown program file and/or a specified attribute of the context environment of the unknown program file, and transmitting the second scan content indication to the client terminal device; the client device scans according to the second scanning content instruction.

Claims (17)

1. A scanning device for killing malicious programs, comprising: The first transmission interface is configured to transmit information to the server-end device, and receive the information transmitted by the server-end device; The environment information reader is configured to read the current system environment information of the client device, and transmit it to the server device through the first transmission interface; The first scanner is configured to obtain, through the first transmission interface, the first scanning content indication generated by the server-end device according to the characteristics of the new malicious program and the system environment information, and indicate the first scanning content Scanning at a specified location in , and at least transmitting the feature data of the scanned unknown program file to the server-end device through the first transmission interface; and The second scanner is configured to obtain, through the first transmission interface, the second scanning content indication generated by the server-end device when the characteristic data fails to match in the known malicious program killing database, and the The characteristic information of the malicious program is recorded in the malicious program killing database, and the second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file , and scan according to the second scan content indication, and be configured to transmit the scan result after scanning according to the second scan content indication to the server-end device through the first transmission interface; The first restorer is configured to obtain, through the first transmission interface, the repair logic determined by the server-end device based on the scanning result provided by the second scanner, and perform repair on the unknown program file according to the repair logic Repair processing. 2. The scanning device of claim 1, further comprising: The second restorer is configured to obtain, through the first transmission interface, the repair logic related to the second scan content indication transmitted from the server-end device together with the second scan content indication, when the first When the scanning result of the second scanner satisfies the repair logic, the unknown program file is repaired. 3. The scanning device according to claim 1 or 2, wherein the repair processing includes one or more of the following processing methods: Delete specified registry keys and/or key values, modify registry keys and/or key values to specified content, delete specified system service items, and repair or delete specified program files. 4. The scanning device according to claim 1 or 2, wherein the system environment information includes one or more of the following information: Operating system version information, system patch installation information, software installation information, driver installation information, and process and service information running in the system. 5. The scanning device according to claim 1 or 2: The feature data of the unknown program file includes one or more of the following information: data and file name obtained by using a specific algorithm for all or part of the key content of the unknown program file; The specified attribute of the unknown program file includes one or more of the following information: characteristic data, file size, security level, signature information and version information. 6. The scanning device according to claim 1 or 2, the attribute of the context environment of the unknown program file includes one or more of the following information: Information about the directory where the unknown program file is located, information about the startup location in the registry, attribute information of other files in the same directory as the unknown program file or under a specified directory, and the running status of the specified process. 7. A cloud management device for killing malicious programs, including: The second transmission interface is configured to transmit information to the client device, and receive the information transmitted by the client device; The first indicator is configured to generate a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, and the first scanning content indication includes at least scanning the content of a specified location and notifying The characteristic data of the scanned unknown program file, and transmitting the first scanned content indication to the client device through the second transmission interface; The first matcher is configured to obtain the characteristic data of the unknown program file transmitted by the client device through the second transmission interface, and perform matching in the known malicious program scanning and killing database accordingly, the The feature information of the malicious program is recorded in the malicious program killing database; and A second indicator configured to generate a second scan content indication when the first matcher fails to match a known record, the second scan content indication includes specified attributes and/or for the unknown program file The specified attribute of the context environment of the unknown program file is scanned and transmitted to the client device through the second transmission interface, and is configured to obtain the client device through the second transmission interface according to the The second scanning content indicates the scanning result obtained after scanning, and judges accordingly whether the unknown program file is a malicious program, and transmits the judgment result to the client device through the second transmission interface, or is configured as Transmitting the judging logic related to the second scanning content indication to the client device through the second transmission interface, the judging logic is logic for judging whether the unknown program file is a malicious program. 8. The cloud management device according to claim 7, The second indicator is also configured to perform a match in the known malicious program killing database according to the scan result obtained after the client device scans according to the second scan content instruction, and if the The repair logic matching the scanning result is transmitted to the client device through the second transmission interface; or, The second indicator is further configured to perform matching in the known malicious program killing database according to the second scanning content indication, and combine the matched repair logic related to the second scanning content indication with the The second scanning content indication is transmitted to the client device through the second transmission interface together. 9. The cloud management device according to claim 7 or 8, wherein the characteristics of the new malicious program include: feature information that the new malicious program uses a specific location to hide and/or attack. 10. The cloud management device according to claim 7 or 8, wherein the first scan content indication is a conditional indication, and the conditions include one or more of the following: Whether the specified file exists, whether the specified directory exists, whether the attributes of the program file meet the specified conditions, whether the specified registry key exists, whether the specified registry key value exists, whether the content of the registry key meets the specified condition, the content of the registry key value Whether the specified condition is met, whether the specified process exists, and whether the specified service exists. 11. The cloud management device according to claim 8, wherein the repair logic comprises one or more of the following logics: Delete specified registry keys and/or key values, modify registry keys and/or key values to specified content, delete specified system service items, and repair or delete specified program files. 12. The cloud management device according to claim 7 or 8, The feature data of the unknown program file includes one or more of the following information: data and file name obtained by using a specific algorithm for all or part of the key content of the unknown program file; The specified attribute of the unknown program file includes one or more of the following information: feature data, file size, signature information, and version information. 13. The cloud management device according to claim 7 or 8, wherein the attribute of the context environment of the unknown program file includes one or more of the following information: Information about the directory where the unknown program file is located, security level information, information about the startup location in the registry, attribute information of other files in the same directory as the unknown program file or under a specified directory, and the running status of the specified process. 14. A malicious program scanning system based on cloud security, comprising the scanning device for killing malicious programs according to any one of claims 1 to 6, and any one of claims 7 to 13 A cloud-based management device for malware detection and killing. 15. A scanning method for killing malicious programs, comprising: Read the current system environment information of the client device and transmit it to the server device; Obtaining the first scanning content indication generated by the server-side device according to the characteristics of the new malicious program and the system environment information, and scanning a specified location in the first scanning content indication, and at least scanning the unknown program The feature data of the file is transmitted to the server-side device; and Obtaining a second scanning content indication generated by the server-end device when the characteristic data fails to match in a known malicious program killing database, where the characteristics of the malicious program are recorded in the malicious program killing database Information, the second scanning content indication includes scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and scanning according to the second scanning content indication; Transmitting the scanning result after scanning according to the second scanning content instruction to the server-end device; obtaining the judgment result of whether the unknown program file determined by the server-end device based on the scanning result is a malicious program, and according to the Judgment results are processed accordingly; or, Obtaining the judging logic related to the second scanning content indication notified by the server-side device, and determining whether the unknown program file is a malicious program according to the scanning result after scanning according to the second scanning content indication and the judging logic , and perform corresponding processing. 16. A cloud management method for killing malicious programs, comprising: Generate a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, the first scanning content indication at least includes scanning the content of the specified location and notifying the feature data of the scanned unknown program file, and transmitting the first scan content indication to the client device; Obtaining the characteristic data of the unknown program file transmitted by the client device, and matching it in a database of known malicious program detection and killing, wherein the characteristic information of the malicious program is recorded in the malicious program detection and killing database ;as well as When a known record cannot be matched according to the feature data of the unknown program file, a second scan content indication is generated, the second scan content indication includes specified attributes of the unknown program file and/or the unknown program scanning the specified attributes of the context environment of the file, and transmitting the second scanning content indication to the client device; After obtaining the scanning result obtained by scanning the client device according to the second scanning content instruction, further analyzing and comparing in the existing malicious program killing database according to the scanning result, again judging whether the unknown program file is a malicious program, and then The judgment result and/or the repair logic matching the scanning result are transmitted to the client device. 17. A malicious program scanning method based on cloud security, comprising: The client device reads the current system environment information and transmits it to the server device; The server-side device generates a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, and the first scanning content indication at least includes scanning the content of a specified location and notifying the scanned unknown program characteristic data of the file, and transmitting the first scanned content indication to the client device; The client device scans according to the first scanning content instruction, and at least transmits the feature data of the unknown program file obtained through scanning to the server device; The server-side device performs matching in the known malicious program scanning and killing database according to the feature data of the unknown program file; When a known record cannot be matched according to the feature data of the unknown program file, the server-end device generates a second scan content indication, the second scan content indication includes the specified attribute and/or of the unknown program file or the specified attributes of the context environment of the unknown program file, and transmit the second scan content indication to the client device; The client device scans according to the second scanning content instruction, and transmits the scanning result after scanning according to the second scanning content instruction to the server device; After the server-end device obtains the scanning result obtained by the client device according to the second scanning content instruction, it further analyzes and compares the known malicious program killing database according to the scanning result, and judges whether the unknown program file is malicious program, and then transmit the judgment result and/or the repair logic matching the scanning result to the client device; After the client device obtains the judging result of whether the unknown program file fed back by the server device is a malicious program, it performs corresponding processing according to the judging result.