CN103793649A - Method and device for cloud-based safety scanning of files - Google Patents
Method and device for cloud-based safety scanning of files Download PDFInfo
- Publication number
- CN103793649A CN103793649A CN201310597951.7A CN201310597951A CN103793649A CN 103793649 A CN103793649 A CN 103793649A CN 201310597951 A CN201310597951 A CN 201310597951A CN 103793649 A CN103793649 A CN 103793649A
- Authority
- CN
- China
- Prior art keywords
- compressed package
- file
- decompression
- described compressed
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
本发明公开了一种通过云安全扫描文件的方法和装置,属于通信安全领域。所述方法包括:从当前下载的压缩包中提取信息;根据提取的信息,判断所述压缩包是否安全;如果不安全,则提供安全性提示信息;调用与所述压缩包的压缩格式对应的解压缩接口;通过调用的解压缩接口对所述压缩包进行解压缩,并直接将解压缩得到的文件映射到内存;对解压缩得到的文件进行扫描查杀。所述装置包括:提取模块、第一判断模块、提示模块、第一调用模块、第一处理模块和第一扫描查杀模块。本发明通过调用的解压缩接口对压缩包进行解压缩,并直接将解压缩得到的文件映射到内存,使得可以实现对任何格式的压缩包进行解压缩,能够完全扫描查杀,不存在安全漏洞。
The invention discloses a method and device for scanning files through cloud security, belonging to the field of communication security. The method includes: extracting information from the currently downloaded compressed package; judging whether the compressed package is safe according to the extracted information; if it is not safe, providing security prompt information; calling the corresponding compressed format of the compressed package Decompression interface: Decompress the compressed package by calling the decompression interface, and directly map the decompressed file to memory; scan and kill the decompressed file. The device includes: an extracting module, a first judging module, a prompting module, a first calling module, a first processing module and a first scanning and killing module. The invention decompresses the compressed package by calling the decompression interface, and directly maps the decompressed file to the memory, so that the compressed package in any format can be decompressed, can be completely scanned and killed, and there is no security hole .
Description
Technical field
The application relates to field of communication security, is specifically related to a kind of by the method and apparatus of cloud security scanning document.
Background technology
Along with the development of the communication technology, the function of the terminal devices such as mobile phone, computing machine from strength to strength, not only can be by the terminal device information that surfs the web, but also can by terminal device do shopping payment, download various data etc.In order to protect the safety of terminal device, prevent that terminal device is poisoning, various fail-safe softwares usually can be installed in terminal device, by fail-safe software, the data in terminal device or data of downloading etc. are killed virus.
Existing fail-safe software, in the time of virus killing, utilizes decompression engine default in fail-safe software to decompress to compressed package, then the file obtaining that decompresses is scanned to killing.
But, the form of compressed package has a variety of, the compressed package of decompression different-format, need to use different decompression engine, therefore existing fail-safe software can only decompress and the compressed package of the default corresponding compressed format of decompression engine, decompression has limitation, thereby can not scan killing completely, there are security breaches, as some Malwares pass through CMD file, the file of bat, or shortcut is packaged in a compressed package, or transmit Single document (pif) wherein, icon, it may be the file of application program, or VBS(script file), create a file and press from both sides and place a file configuration file (desktop.ini), application plan task, or use analog mouse click etc.Even net purchase wooden horse etc. can transmit a compressed package, and subsequent decompression is to the desktop of user computer, if user initiatively clicks or careless double-click starts, the file that compressed package comprises can produce danger.
Summary of the invention
It is a kind of by the method and apparatus of cloud security scanning document that the application's technical matters to be solved is to provide, by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, to decompressing, the file obtaining scans killing, make it possible to achieve the compressed package of any form is decompressed, can scan killing completely, not have security breaches.
In order to address the above problem, the application discloses a kind of method of scanning document, and described method comprises:
Information extraction from the compressed package of current download;
According to the information of extracting, judge whether safety of described compressed package;
If dangerous, provide security information;
Call the decompression interface corresponding with the compressed format of described compressed package;
By the decompression interface calling, described compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory;
To decompressing, the file obtaining scans killing.
Further, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package;
Correspondingly, described according to the information of extracting, judge whether described compressed package comprises safely:
According to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, the security of described compressed package is detected;
According to testing result, judge whether safety of described compressed package.
Further, before calling the decompression interface corresponding with the compressed format of described compressed package, also comprise:
Obtain the compressed format of described compressed package;
Whether the compressed format that judges described compressed package is corresponding with the decompression engine of local acquiescence;
If not corresponding, described in carrying out, call the step of the decompression interface corresponding with the compressed format of described compressed package.
Further, obtain the compressed format of described compressed package, comprising:
The process creation operation of watchdog routine;
Obtain the command line parameter while being created process execution;
Command line parameter while execution according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding;
The filename of the process file comprising according to described process path, obtains the compressed format of described compressed package.
Further, after judging that whether the compressed format of described compressed package and the decompression engine of local acquiescence be corresponding, also comprise:
If corresponding, the decompression engine of calling local acquiescence decompresses to described compressed package, then carries out the described file obtaining decompressing and scan the step of killing.
Further, when described compressed package is decompressed, also comprise:
Monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.
Further, monitoring decompression process, determines whether to obtain the file that decompresses according to file creation operation and file close operation, comprising:
Monitoring decompression process;
If the parent process of decompression process is decompression applications, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package;
In the time that decompression process completes file creation operation and file close operation, determine to separate to extrude a file.
Further, the file obtaining decompressing also comprises before scanning killing:
Judge in the file obtaining that decompresses and whether comprise compressed package;
If comprised, call the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses;
By the decompression interface that calls, the compressed package comprising in the file obtaining that decompresses is decompressed, and the File Mapping directly decompression being obtained is to internal memory, then carries out the file that decompression is obtained and scan the step of killing.
Further, the file obtaining that decompresses is scanned to killing, comprising:
The safe class of the file obtaining from server end inquiry decompression;
According to safe class, to decompressing, the file obtaining scans killing.
In order to address the above problem, disclosed herein as well is a kind of device of scanning document, described device comprises:
Extraction module, for the compressed package information extraction from current download;
The first judge module, for according to the information of extracting, judges whether safety of described compressed package;
Reminding module, if be dangerous for the judged result of described the first judge module, provides security information;
The first calling module, for calling the decompression interface corresponding with the compressed format of described compressed package;
The first processing module, decompresses to described compressed package for the decompression interface by calling, and the File Mapping directly decompression being obtained is to internal memory;
The first scanning killing module, for scanning killing to the file obtaining that decompresses.
Further, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package;
Correspondingly, described the first judge module comprises:
Detecting unit, for according to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, detects the security of described compressed package;
Judging unit, for according to testing result, judges whether safety of described compressed package.
Further, described device also comprises:
Acquisition module, for before calling the decompression interface corresponding with the compressed format of described compressed package, obtains the compressed format of described compressed package;
Whether the second judge module is corresponding with the decompression engine of local acquiescence for judging the compressed format of described compressed package;
The first notification module, if be not corresponding for the judged result of described the second judge module, notifies described the first calling module to carry out the step of calling the decompression interface corresponding with the compressed format of described compressed package.
Further, described acquisition module comprises:
The first monitoring unit, for the process creation operation of watchdog routine;
The first acquiring unit, the command line parameter while execution for obtaining the process that is created;
Second acquisition unit, the command line parameter when carrying out according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding;
The 3rd acquiring unit, for the filename of the process file that comprises according to described process path, obtains the compressed format of described compressed package.
Further, described device also comprises:
The second notification module, if be corresponding for the judged result of described the second judge module, the decompression engine of calling local acquiescence decompresses to described compressed package, and the file of then notifying described the first scanning killing module execution to obtain decompressing scans the step of killing.
Further, described device also comprises:
Monitoring modular, when described compressed package is decompressed, monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.
Further, described monitoring modular comprises:
The second monitoring unit, for monitoring decompression process;
Identifying unit, if be decompression applications for the parent process of decompression process, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package;
Determining unit, when complete file creation operation and file close operation when decompression process, determines to separate to extrude a file.
Further, described device also comprises:
The 3rd judge module, for judging whether the file obtaining that decompresses comprises compressed package;
The second calling module, if for comprising, calls the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses;
The second processing module, the compressed package that the file obtaining decompressing for the decompression interface by calling comprises decompresses, and the File Mapping directly decompression being obtained is to internal memory, then carry out the file that decompression is obtained and scan the step of killing.
Further, described the first scanning killing module comprises:
Query unit, for the safe class of the file obtaining that decompresses from server end inquiry;
Scanning killing unit, for according to safe class, to decompressing, the file obtaining scans killing.
Compared with prior art, the application can obtain and comprise following technique effect:
By the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, and the file obtaining that decompresses is scanned to killing, makes it possible to achieve the compressed package of any form is decompressed, can scan killing completely, not have security breaches.The decompression engine that can give tacit consent to by this locality decompresses to the compressed package of corresponding compressed format, can accelerate the speed of decompression, improves the efficiency of security sweep.Can monitor decompression process, determine whether to obtain the file that decompresses according to file creation operation and file close operation, guarantee to obtain the file decompressing.
Certainly, arbitrary product of enforcement the application must not necessarily need to reach above-described all technique effects simultaneously.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further understanding of the present application, forms the application's a part, and the application's schematic description and description is used for explaining the application, does not form the improper restriction to the application.In the accompanying drawings:
Fig. 1 is that the first of the embodiment of the present application is passed through the method flow diagram of cloud security scanning document;
Fig. 2 is that the second of the embodiment of the present application passes through the method flow diagram of cloud security scanning document;
Fig. 3 is that the first of the embodiment of the present application is passed through the apparatus structure schematic diagram of cloud security scanning document;
Fig. 4 is that the second of the embodiment of the present application passes through the apparatus structure schematic diagram of cloud security scanning document;
Fig. 5 is that the third of the embodiment of the present application is by the apparatus structure schematic diagram of cloud security scanning document;
Fig. 6 is that the 4th kind of the embodiment of the present application passes through the apparatus structure schematic diagram of cloud security scanning document;
Fig. 7 is that the 5th kind of the embodiment of the present application passes through the apparatus structure schematic diagram of cloud security scanning document.
Embodiment
To coordinate drawings and Examples to describe the application's embodiment in detail below, by this application's implementation procedure how application technology means solve technical matters and reach technology effect can be fully understood and be implemented according to this.
In order to adapt to the renewal speed of rogue program, to identify rapidly and killing rogue program, generally utilize at present Initiative Defense technology killing rogue program.Initiative Defense technology is that the autonomous real-time protection technology of analyzing judgement is carried out in the behavior based on program, by intercept point being set at the key position of system, the key position of system is protected.For example, in the time having program to carry out the behavior of these key positions of modification (write registration table, create plan target, revise browser homepage, revise the behavior such as default browser and registration browser plug-in), will tackle this program, after interception, need to judge whether this act of revision is maliciously, conventionally be whether the program of carrying out this act of revision by judgement realizes safely to the judgement of behavior, if program is malice, illustrate that this act of revision is malice, therefore needs to tackle the execution of this program.In general, Initiative Defense technology is to check by the file to program, with the security of trace routine.But in the time of the file of scrutiny program, need the cryptographic hash of calculation document, also need accesses network, these are all more time-consuming operations, and general program can load tens even up to a hundred dll files, even if use caching technology to be optimized, or the start-up time of the obvious prolongation program of meeting.Therefore, in order to reduce as far as possible the impact on program feature, Initiative Defense technology only detects the EXE file of program, and the dll file that scrutiny program does not load.Therefore, some rogue programs just utilize this point, together with the dll file of this rogue program for example, being packaged in the program (program that operating system carries) in white list trusty by the DLL technology of kidnapping, in the time that user selects to carry out the program in this white list, wherein the dll file of rogue program will be loaded, thereby makes Initiative Defense technology can not successfully tackle this rogue program.And the method for scanning document provided by the invention can also scan dll file, address the above problem
embodiment describes
With an embodiment, the realization of the application's method is described further below.As shown in Figure 1, be the method flow diagram of a kind of scanning document of the embodiment of the present application, the method comprises:
S101: information extraction from the compressed package of current download.
S102: according to the information of extracting, judge whether safety of compressed package.
S103: if dangerous, provide security information.
S104: call the decompression interface corresponding with the compressed format of compressed package.
S105: by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory.
S106: the file obtaining scans killing to decompressing.
Preferably, the information of extraction comprises: the download source of compressed package, the signature identification of depositing path and compressed package of compressed package;
Correspondingly, according to the information of extracting, judge whether compressed package comprises safely:
According to the signature identification of depositing path and compressed package of the download source of compressed package, compressed package, the security of compressed package is detected;
According to testing result, judge whether safety of compressed package.
Preferably, calling the decompression interface corresponding with the compressed format of compressed package also comprises before:
Obtain the compressed format of compressed package;
Whether the compressed format that judges compressed package is corresponding with the decompression engine of local acquiescence;
If not corresponding, carry out the step of calling the decompression interface corresponding with the compressed format of compressed package.
Preferably, obtain the compressed format of compressed package, comprising:
The process creation operation of watchdog routine;
Obtain the command line parameter while being created process execution;
Command line parameter while execution according to the process that is created, obtains the process path of the process that is created that compressed package is corresponding;
The filename of the process file comprising according to described process path, obtains the compressed format of compressed package.
Preferably, after judging that whether the compressed format of compressed package and the decompression engine of local acquiescence be corresponding, also comprise:
If corresponding, the decompression engine of calling local acquiescence decompresses to compressed package, then carries out the file obtaining decompressing and scan the step of killing.
Preferably, when compressed package is decompressed, also comprise:
Monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.
Preferably, monitoring decompression process, determines whether to obtain the file that decompresses according to file creation operation and file close operation, comprising:
Monitoring decompression process;
If the parent process of decompression process is decompression applications, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package;
In the time that decompression process completes file creation operation and file close operation, determine to separate to extrude a file.
Preferably, the file obtaining decompressing also comprises before scanning killing:
Judge in the file obtaining that decompresses and whether comprise compressed package;
If comprised, call the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses;
By the decompression interface that calls, the compressed package comprising in the file obtaining that decompresses is decompressed, and the File Mapping directly decompression being obtained is to internal memory, then carries out the file that decompression is obtained and scan the step of killing.
Preferably, the file obtaining that decompresses is scanned to killing, comprising:
The safe class of the file obtaining from server end inquiry decompression;
According to safe class, to decompressing, the file obtaining scans killing.
The method of the scanning document described in the present embodiment, by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, to decompressing, the file obtaining scans killing, make it possible to achieve the compressed package of any form is decompressed, can scan killing completely, not have security breaches.The decompression engine that can give tacit consent to by this locality decompresses to the compressed package of corresponding compressed format, can accelerate the speed of decompression, improves the efficiency of security sweep.Can monitor decompression process, determine whether to obtain the file that decompresses according to file creation operation and file close operation, guarantee to obtain the file decompressing.
With another embodiment, the realization of the application's method is described further below.As shown in Figure 2, be the method flow diagram of a kind of scanning document of the embodiment of the present application, the method comprises:
S201: information extraction from the compressed package of current download.
Particularly, when client device is downloading when compressed package, can from the compressed package of current download, extract the information of the compressed package of current download, and by the information recording of the compressed package of current download in default compressed package database.
Wherein, the information of compressed package can comprise one or more in following information: the download source of compressed package, the signature identification of depositing path, compressed package of compressed package etc.The download source of compressed package mainly comprises one or more in the various relevant informations that compressed package downloading process relates to, such as download tool type, download URL (UniformResourceLocator, URL(uniform resource locator)) and webpage URL etc.Download tool type, referring generally to this compressed package by what approach downloads, such as immediate communication tool, Mail Clients etc., for example, can support the Mail Clients such as Outlook/Foxmail, can also further support WEB browser, the specific download instruments such as IE/Chrome, a sudden peal of thunder/download tools such as electric donkey.Download URL, refers generally to the download link of this compressed package self.Webpage URL, refers generally to the URL of the web webpage at download URL place.The signature identification of compressed package, as long as being used for the information of unique identification compressed package, such as being the informative abstract such as MD5 or SHA1.
S202: according to the information of extracting, judge whether safety of compressed package, if dangerous, carry out S203; Otherwise, carry out S204.
Particularly, according to the information of extracting, judge whether compressed package comprises safely:
The download source of the compressed package comprising according to the information of extracting, the signature identification of depositing path and compressed package of compressed package, detect the security of compressed package;
According to testing result, judge whether safety of compressed package.
S203: security information is provided.
S204: the compressed format of obtaining compressed package.
Particularly, compressed format comprises ace, winrar, ar, ip, tar, cab, uue, jar, iso, z, 7-zip, lzh, arj, gzip, bz2 etc.
Particularly, obtain the compressed format of compressed package, comprise
The process creation operation of watchdog routine;
Obtain the command line parameter while being created process execution;
Command line parameter while execution according to the process that is created, obtains the process path of the process that is created that compressed package is corresponding;
The filename of the process file comprising according to process path, obtains the compressed format of compressed package.
Wherein, the concrete mode of monitoring process creation operation can have a variety of, for example, catch the related function of process creation.By monitoring process creation operation, not only can obtain the command line parameter while being created process execution, can also obtain the process path of the process of being created.
Wherein, the content that command line parameter comprises is more, for example generally comprise the process of being created process path, compressed package deposit path, process parameter etc. more specifically.As, the command line parameter of a certain decompression process be " C: Program Files AAA AAAzip AAAzip.exe "-s " C: Test test.zip " " and C: Test test; wherein; " C: Program Files AAA AAAzip AAAzip.exe " being the process path of the process of being created; " " be for showing that this process is decompression process but not a kind of parameter information of compression procedure, " C: Test test.zip " is the path parameter information of depositing of compressed package to-s.Certainly, in some cases, in command line parameter, may there is no process path yet.But, by monitoring process creation operation, catch the related function of process creation, also can obtain the process path of the process of being created.
Wherein, be created the relevant information that conventionally has process file in the process path of process, as the filename such as " WinRAR.exe " or " AAAZip.exe ", can obtain the compressed format of compressed package according to the filename of process file.
Particularly, no matter the compressed package of which kind of compressed format, can decompress by the method for the present embodiment, realizes the file obtaining that decompresses is scanned to killing.
S205: whether the compressed format that judges compressed package is corresponding with the decompression engine of local acquiescence, if corresponding, carries out S206; Otherwise, carry out S207.
Particularly, can obtain the decompression instrument of local user acquiescence, utilize the decompression engine of the decompression instrument that local user the gives tacit consent to corresponding compressed package that decompresses.
S206: the decompression engine of calling local acquiescence decompresses to compressed package, then carries out S208.
Particularly, for example: the decompression instrument of local user's acquiescence is WINRAR, and compressed package A decompress.The decompression engine of calling local acquiescence is to the compressed package order line transmission WINRAR being specially at decompression A that decompresses.
S207: call the decompression interface corresponding with the compressed format of compressed package, then carry out S208.
Particularly, if the compressed format of compressed package is ace, call ace decompression interface.
S208: by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, then carries out S209.
When file (as the file of ace form) on existing decompression local disk, decompress files must be discharged into local disk, has limitation.If can not remove this restrictive condition, just can be utilized by wooden horse author, wooden horse author can use ace file X.ace winrar boil down to xxx.rar, fail-safe software utilizes self decompression engine solution to extrude x.ace, if at this time x.ace is not discharged into just storage and internal memory of disk, just can not utilize the ace solution decompress(ion) that overstocks.And utilize " decompress(ion) adapter " of the present invention can reach the effect of decompress(ion) x.ace memory block, and need not be discharged into disk (writing disk can be very consuming time), save the security sweep time.
Particularly, when compressed package is decompressed, also comprise:
Monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.
Particularly, can pass through the method for HOOK, kernel32 operating application program interface (API), monitor the decompression process of S206 and S208.In when monitoring, when A file creation operation (A represent the new file decompressing out) being detected, prove that A file is just decompressed, when A file close operation being detected, prove that A file is decompressed to complete, determine the file A that has obtained decompression.The All Files comprising in the compressed package such as file B, file C that can obtain by that analogy decompressing.
Particularly, monitoring decompression process, determines whether that according to file creation operation and file close operation the file that obtains decompressing comprises:
Monitoring decompression process;
If the parent process of decompression process is decompression applications, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package;
In the time that decompression process completes file creation operation and file close operation, determine to separate to extrude a file.
Wherein, decompression process is in the time separating a file of extrusion, also can generate other information associated with the file, such as file name information, file description information, document size information, file version information, file characteristic value information, inner name information, Business Name information, copyright statement information, name of product information, product version information, digital signature company information, and the order line information of the process of pending program creation, process path information and parent process routing information etc., these information can be recorded to default decompressed data storehouse.And, file comprises direct decompression file, derivative file, the alternative document loading in the time of file implementation and the file generating by multilayer process etc. out, and file may be also executable file (pe file), it may be also non-executable file.Executable file includes but not limited to exe class file, script file, autoexec and link file etc.
S209: the file obtaining scans killing to decompressing.
Particularly, to decompressing, the file obtaining scans killing, (mark of collecting in advance virus document is placed on blacklist can to adopt black and white lists, the mark of collecting the file of acquiescence protection is placed on white list, utilize black and white lists to carry out traverse scanning killing), Initiative Defense (scans killing using behavior as object, behavior has identification code (for example md5), and process or the program of making behavior also have mark; When scanning killing, if itself is judged as bad behavior behavior, or process or the program of making behavior are judged as bad program or bad process, this behavior of killing), cloud killing (server end building database, carry out the collection of end side, if the most of terminal collecting all thinks that certain file is virus, that just directly judges that this file is as virus, and be updated in storehouse, be handed down to all terminals), the method such as safe class realizes, this is not specifically limited.
Wherein, when adopting safe class method, when the file obtaining scans killing, specifically comprise decompressing:
The safe class of the file obtaining from server end inquiry decompression;
According to safe class, to decompressing, the file obtaining scans killing.
In the present embodiment, safe class comprises safe, unknown, suspicious/highly suspicious and malice etc.For the setting of safe class, can arrange when grade is 10-29 is safety (file of this grade is text of an annotated book part), when grade is 30-49, be unknown (file of this grade is grey file), when grade is 50-69, be suspicious/highly suspicious (file of this grade is apocrypha), it is malice (file of this grade is malicious file) that grade is more than or equal at 70 o'clock.Certainly, it is other forms that safe class can also be set, and the present invention is not limited this.
Particularly, can pass through to carry out for killing portable the cloud killing engine of body (Portable Execute, PE) type file, or artificial intelligence engine (Qihoo Virtual Machine, QVM) scans killing to the file obtaining that decompresses.Wherein, PE type file is often referred to the program file in Windows operating system, and common PE type file comprises the type files such as EXE, DLL, OCX, SYS, COM.
Particularly, the file obtaining decompressing can also comprise before scanning killing:
Judge in the file obtaining that decompresses and whether comprise compressed package; If comprise compressed package, the compressed package comprising in the file obtaining that decompresses is decompressed and scans killing according to above-mentioned steps S201-S209.
The method of the scanning document described in the present embodiment, by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, to decompressing, the file obtaining scans killing, make it possible to achieve the compressed package of any form is decompressed, can scan killing completely, not have security breaches.The decompression engine that can give tacit consent to by this locality decompresses to the compressed package of corresponding compressed format, can accelerate the speed of decompression, improves the efficiency of security sweep.Can monitor decompression process, determine whether to obtain the file that decompresses according to file creation operation and file close operation, guarantee to obtain the file decompressing.
As shown in Figure 3, be the structure drawing of device of a kind of scanning document of the embodiment of the present application, this device comprises:
The first judge module 302, for according to the information of extracting, judges whether safety of compressed package;
Reminding module 303, if be dangerous for the judged result of the first judge module 302, provides security information;
The first calling module 304, for calling the decompression interface corresponding with the compressed format of compressed package;
The first processing module 305, decompresses to compressed package for the decompression interface by calling, and the File Mapping directly decompression being obtained is to internal memory;
The first scanning killing module 306, for scanning killing to the file obtaining that decompresses.
Preferably, the information of extraction comprises: the download source of compressed package, the signature identification of depositing path and compressed package of compressed package;
Correspondingly, the first judge module 302 comprises:
Detecting unit, for according to the signature identification of depositing path and compressed package of the download source of compressed package, compressed package, detects the security of compressed package;
Judging unit, for according to testing result, judges whether safety of compressed package.
Preferably, referring to Fig. 4, this device also comprises:
Whether the second judge module 308 is corresponding with the decompression engine of local acquiescence for judging the compressed format of compressed package;
The first notification module 309, if be not corresponding for the judged result of the second judge module 308, notifies the first calling module 304 to carry out the step of calling the decompression interface corresponding with the compressed format of compressed package.
Preferably, acquisition module 307 comprises:
The first monitoring unit, for the process creation operation of watchdog routine;
The first acquiring unit, the command line parameter while execution for obtaining the process that is created;
Second acquisition unit, the command line parameter when carrying out according to the process that is created, obtains the process path of the process that is created that compressed package is corresponding;
The 3rd acquiring unit, for the filename of the process file that comprises according to described process path, obtains the compressed format of compressed package.
Preferably, referring to Fig. 5, this device also comprises:
The second notification module 310, if be corresponding for the judged result of the second judge module 308, the decompression engine of calling local acquiescence decompresses to compressed package, then notifies the first scanning killing module 306 to carry out the file obtaining decompressing to scan the step of killing.
Preferably, referring to Fig. 6, this device also comprises:
Monitoring modular 311, when compressed package is decompressed, monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.
Preferably, monitoring modular 311 comprises:
The second monitoring unit, for monitoring decompression process;
Identifying unit, if be decompression applications for the parent process of decompression process, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package;
Determining unit, when complete file creation operation and file close operation when decompression process, determines to separate to extrude a file.
Preferably, referring to Fig. 7, this device also comprises:
The 3rd judge module 312, for judging whether the file obtaining that decompresses comprises compressed package;
The second calling module 313, if for comprising, calls the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses;
The second processing module 314, the compressed package that the file obtaining decompressing for the decompression interface by calling comprises decompresses, and the File Mapping directly decompression being obtained is to internal memory, then carry out the file that decompression is obtained and scan the step of killing.
Preferably, the first scanning killing module 306 comprises:
Query unit, for the safe class of the file obtaining that decompresses from server end inquiry;
Scanning killing unit, for according to safe class, to decompressing, the file obtaining scans killing.
The device of the scanning document described in the present embodiment, by the decompression interface calling, compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory, to decompressing, the file obtaining scans killing, make it possible to achieve the compressed package of any form is decompressed, can scan killing completely, not have security breaches.The decompression engine that can give tacit consent to by this locality decompresses to the compressed package of corresponding compressed format, can accelerate the speed of decompression, improves the efficiency of security sweep.Can monitor decompression process, determine whether to obtain the file that decompresses according to file creation operation and file close operation, guarantee to obtain the file decompressing.
Described device is corresponding with aforesaid method flow description, and weak point, with reference to the narration of said method flow process, repeats no longer one by one.
Above-mentioned explanation illustrates and has described some preferred embodiments of the application, but as previously mentioned, be to be understood that the application is not limited to disclosed form herein, should not regard the eliminating to other embodiment as, and can be used for various other combinations, modification and environment, and can, in invention contemplated scope described herein, change by technology or the knowledge of above-mentioned instruction or association area.And the spirit and scope that the change that those skilled in the art carry out and variation do not depart from the application, all should be in the protection domain of the application's claims.
The application's embodiment has disclosed a kind of method of A1, scanning document, it is characterized in that, described method comprises: information extraction from the compressed package of current download; According to the information of extracting, judge whether safety of described compressed package; If dangerous, provide security information; Call the decompression interface corresponding with the compressed format of described compressed package; By the decompression interface calling, described compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory; To decompressing, the file obtaining scans killing.A2, method as described in A1, is characterized in that, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package; Correspondingly, described according to the information of extracting, judge whether described compressed package comprises safely: according to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, the security of described compressed package is detected; According to testing result, judge whether safety of described compressed package.A3, method as described in A1, is characterized in that, before calling the decompression interface corresponding with the compressed format of described compressed package, also comprises: the compressed format of obtaining described compressed package; Whether the compressed format that judges described compressed package is corresponding with the decompression engine of local acquiescence; If not corresponding, described in carrying out, call the step of the decompression interface corresponding with the compressed format of described compressed package.A4, method as described in A3, is characterized in that, obtains the compressed format of described compressed package, comprising: the process creation operation of watchdog routine; Obtain the command line parameter while being created process execution; Command line parameter while execution according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding; The filename of the process file comprising according to described process path, obtains the compressed format of described compressed package.A5, method as described in A3, it is characterized in that, after judging that whether the compressed format of described compressed package and the decompression engine of local acquiescence be corresponding, also comprise: if corresponding, the decompression engine of calling local acquiescence decompresses to described compressed package, then carries out the described file obtaining decompressing and scan the step of killing.A6, method as described in as arbitrary in A1-A5, is characterized in that, when described compressed package is decompressed, also comprises: monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.A7, method as described in A6, is characterized in that, monitoring decompression process determines whether to obtain the file that decompresses according to file creation operation and file close operation, comprising: monitoring decompression process; If the parent process of decompression process is decompression applications, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package; In the time that decompression process completes file creation operation and file close operation, determine to separate to extrude a file.A8, method as described in as arbitrary in A1-A5, is characterized in that, the file obtaining decompressing also comprises before scanning killing: judge in the file that decompression obtains whether comprise compressed package; If comprised, call the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses; By the decompression interface that calls, the compressed package comprising in the file obtaining that decompresses is decompressed, and the File Mapping directly decompression being obtained is to internal memory, then carries out the file that decompression is obtained and scan the step of killing.A9, method as described in A8, is characterized in that, the file obtaining that decompresses is scanned to killing, comprising: from the decompress safe class of the file obtaining of server end inquiry; According to safe class, to decompressing, the file obtaining scans killing.
The device of B10, a kind of scanning document, is characterized in that, described device comprises: extraction module, for the compressed package information extraction from current download; The first judge module, for according to the information of extracting, judges whether safety of described compressed package; Reminding module, if be dangerous for the judged result of described the first judge module, provides security information; The first calling module, for calling the decompression interface corresponding with the compressed format of described compressed package; The first processing module, decompresses to described compressed package for the decompression interface by calling, and the File Mapping directly decompression being obtained is to internal memory; The first scanning killing module, for scanning killing to the file obtaining that decompresses.B11, device as described in B10, is characterized in that, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package; Correspondingly, described the first judge module comprises: detecting unit, for according to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, detects the security of described compressed package; Judging unit, for according to testing result, judges whether safety of described compressed package.B12, device as described in B10, is characterized in that, described device also comprises: acquisition module, for before calling the decompression interface corresponding with the compressed format of described compressed package, obtains the compressed format of described compressed package; Whether the second judge module is corresponding with the decompression engine of local acquiescence for judging the compressed format of described compressed package; The first notification module, if be not corresponding for the judged result of described the second judge module, notifies described the first calling module to carry out the step of calling the decompression interface corresponding with the compressed format of described compressed package.B13, device as described in B10, is characterized in that, described acquisition module comprises: the first monitoring unit, for the process creation operation of watchdog routine; The first acquiring unit, the command line parameter while execution for obtaining the process that is created; Second acquisition unit, the command line parameter when carrying out according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding; The 3rd acquiring unit, for the filename of the process file that comprises according to described process path, obtains the compressed format of described compressed package.B14, device as described in B12, it is characterized in that, described device also comprises: the second notification module, if be corresponding for the judged result of described the second judge module, the decompression engine of calling local acquiescence decompresses to described compressed package, and the file of then notifying described the first scanning killing module execution to obtain decompressing scans the step of killing.B15, device as described in as arbitrary in B10-B14, it is characterized in that, described device also comprises: monitoring modular, when described compressed package is decompressed, monitoring decompression process, determines whether to obtain the file decompressing according to file creation operation and file close operation.B16, device as described in B15, is characterized in that, described monitoring modular comprises: the second monitoring unit, for monitoring decompression process; Identifying unit, if be decompression applications for the parent process of decompression process, and the process file that comprises decompression process in the compressed package of decompression applications decompression, the process file of judging decompression process is the file from compressed package; Determining unit, when complete file creation operation and file close operation when decompression process, determines to separate to extrude a file.B17, device as described in as arbitrary in B10-B14, is characterized in that, described device also comprises: the 3rd judge module, for judging whether the file obtaining that decompresses comprises compressed package; The second calling module, if for comprising, calls the decompression interface corresponding with the compressed format of the compressed package comprising in the file obtaining that decompresses; The second processing module, the compressed package that the file obtaining decompressing for the decompression interface by calling comprises decompresses, and the File Mapping directly decompression being obtained is to internal memory, then carry out the file that decompression is obtained and scan the step of killing.B18, device as described in B17, is characterized in that, described the first scanning killing module comprises: query unit, for the safe class of the file obtaining that decompresses from server end inquiry; Scanning killing unit, for according to safe class, to decompressing, the file obtaining scans killing.
Claims (10)
1. by a method for cloud security scanning document, it is characterized in that, described method comprises:
Information extraction from the compressed package of current download;
According to the information of extracting, judge whether safety of described compressed package;
If dangerous, provide security information;
Call the decompression interface corresponding with the compressed format of described compressed package;
By the decompression interface calling, described compressed package is decompressed, and the File Mapping directly decompression being obtained is to internal memory;
To decompressing, the file obtaining scans killing.
2. the method for claim 1, is characterized in that, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package;
Correspondingly, described according to the information of extracting, judge whether described compressed package comprises safely:
According to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, the security of described compressed package is detected;
According to testing result, judge whether safety of described compressed package.
3. the method for claim 1, is characterized in that, before calling the decompression interface corresponding with the compressed format of described compressed package, also comprises:
Obtain the compressed format of described compressed package;
Whether the compressed format that judges described compressed package is corresponding with the decompression engine of local acquiescence;
If not corresponding, described in carrying out, call the step of the decompression interface corresponding with the compressed format of described compressed package.
4. method as claimed in claim 3, is characterized in that, obtains the compressed format of described compressed package, comprising:
The process creation operation of watchdog routine;
Obtain the command line parameter while being created process execution;
Command line parameter while execution according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding;
The filename of the process file comprising according to described process path, obtains the compressed format of described compressed package.
5. method as claimed in claim 3, is characterized in that, after judging that whether the compressed format of described compressed package and the decompression engine of local acquiescence be corresponding, also comprises:
If corresponding, the decompression engine of calling local acquiescence decompresses to described compressed package, then carries out the described file obtaining decompressing and scan the step of killing.
6. by a device for cloud security scanning document, it is characterized in that, described device comprises:
Extraction module, for the compressed package information extraction from current download;
The first judge module, for according to the information of extracting, judges whether safety of described compressed package;
Reminding module, if be dangerous for the judged result of described the first judge module, provides peace
Full property information;
The first calling module, for calling the decompression interface corresponding with the compressed format of described compressed package;
The first processing module, decompresses to described compressed package for the decompression interface by calling, and the File Mapping directly decompression being obtained is to internal memory;
The first scanning killing module, for scanning killing to the file obtaining that decompresses.
7. device as claimed in claim 6, is characterized in that, the information of described extraction comprises: the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package;
Correspondingly, described the first judge module comprises:
Detecting unit, for according to the download source of described compressed package, the signature identification of depositing path and described compressed package of described compressed package, detects the security of described compressed package;
Judging unit, for according to testing result, judges whether safety of described compressed package.
8. device as claimed in claim 6, is characterized in that, described device also comprises:
Acquisition module, for before calling the decompression interface corresponding with the compressed format of described compressed package, obtains the compressed format of described compressed package;
Whether the second judge module is corresponding with the decompression engine of local acquiescence for judging the compressed format of described compressed package;
The first notification module, if be not corresponding for the judged result of described the second judge module, notifies described the first calling module to carry out the step of calling the decompression interface corresponding with the compressed format of described compressed package.
9. device as claimed in claim 6, is characterized in that, described acquisition module comprises:
The first monitoring unit, for the process creation operation of watchdog routine;
The first acquiring unit, the command line parameter while execution for obtaining the process that is created;
Second acquisition unit, the command line parameter when carrying out according to the process that is created, obtains the process path of the process that is created that described compressed package is corresponding;
The 3rd acquiring unit, for the filename of the process file that comprises according to described process path, obtains the compressed format of described compressed package.
10. device as claimed in claim 8, is characterized in that, described device also comprises:
The second notification module, if be corresponding for the judged result of described the second judge module, the decompression engine of calling local acquiescence decompresses to described compressed package, and the file of then notifying described the first scanning killing module execution to obtain decompressing scans the step of killing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310597951.7A CN103793649A (en) | 2013-11-22 | 2013-11-22 | Method and device for cloud-based safety scanning of files |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310597951.7A CN103793649A (en) | 2013-11-22 | 2013-11-22 | Method and device for cloud-based safety scanning of files |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103793649A true CN103793649A (en) | 2014-05-14 |
Family
ID=50669302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310597951.7A Pending CN103793649A (en) | 2013-11-22 | 2013-11-22 | Method and device for cloud-based safety scanning of files |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103793649A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104239793A (en) * | 2014-09-10 | 2014-12-24 | 珠海市君天电子科技有限公司 | Virus detection method and virus detection device |
| CN106663173A (en) * | 2016-09-30 | 2017-05-10 | 北京小米移动软件有限公司 | Safety scanning method and device and electronic device |
| CN107656742A (en) * | 2017-09-27 | 2018-02-02 | 北京奇虎科技有限公司 | A kind of software product dissemination method and device |
| CN108446300A (en) * | 2018-01-26 | 2018-08-24 | 北京奇虎科技有限公司 | The scan method and device of data information |
| CN108629182A (en) * | 2017-03-21 | 2018-10-09 | 腾讯科技(深圳)有限公司 | Leak detection method and Hole Detection device |
| CN109656892A (en) * | 2018-12-26 | 2019-04-19 | 上海百事通信息技术股份有限公司 | A kind of online decompression method of file |
| CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
| CN111352912A (en) * | 2020-03-10 | 2020-06-30 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN111797392A (en) * | 2019-04-09 | 2020-10-20 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for controlling infinite analysis of derivative file |
| CN113051562A (en) * | 2019-12-28 | 2021-06-29 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and readable storage medium |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007117567A2 (en) * | 2006-04-06 | 2007-10-18 | Smobile Systems Inc. | Malware detection system and method for limited access mobile platforms |
| CN101414328A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Apparatus and method for exuviations of file |
| CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
-
2013
- 2013-11-22 CN CN201310597951.7A patent/CN103793649A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007117567A2 (en) * | 2006-04-06 | 2007-10-18 | Smobile Systems Inc. | Malware detection system and method for limited access mobile platforms |
| CN101414328A (en) * | 2007-10-15 | 2009-04-22 | 北京瑞星国际软件有限公司 | Apparatus and method for exuviations of file |
| CN103077353A (en) * | 2013-01-24 | 2013-05-01 | 北京奇虎科技有限公司 | Method and device for actively defending rogue program |
Non-Patent Citations (1)
| Title |
|---|
| 李振: "跨平台的多压缩格式解压引擎的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 11, 15 November 2013 (2013-11-15), pages 17 - 27 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104239793B (en) * | 2014-09-10 | 2017-05-31 | 珠海市君天电子科技有限公司 | Method for detecting virus and device |
| CN104239793A (en) * | 2014-09-10 | 2014-12-24 | 珠海市君天电子科技有限公司 | Virus detection method and virus detection device |
| CN106663173A (en) * | 2016-09-30 | 2017-05-10 | 北京小米移动软件有限公司 | Safety scanning method and device and electronic device |
| CN108629182B (en) * | 2017-03-21 | 2022-11-04 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and vulnerability detection device |
| CN108629182A (en) * | 2017-03-21 | 2018-10-09 | 腾讯科技(深圳)有限公司 | Leak detection method and Hole Detection device |
| CN107656742A (en) * | 2017-09-27 | 2018-02-02 | 北京奇虎科技有限公司 | A kind of software product dissemination method and device |
| CN108446300A (en) * | 2018-01-26 | 2018-08-24 | 北京奇虎科技有限公司 | The scan method and device of data information |
| CN109656892A (en) * | 2018-12-26 | 2019-04-19 | 上海百事通信息技术股份有限公司 | A kind of online decompression method of file |
| CN111797392A (en) * | 2019-04-09 | 2020-10-20 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for controlling infinite analysis of derivative file |
| CN111797392B (en) * | 2019-04-09 | 2023-08-08 | 国家计算机网络与信息安全管理中心 | Method, device and storage medium for controlling infinite analysis of derivative files |
| CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
| CN113051562A (en) * | 2019-12-28 | 2021-06-29 | 深信服科技股份有限公司 | Virus checking and killing method, device, equipment and readable storage medium |
| CN111352912A (en) * | 2020-03-10 | 2020-06-30 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN111352912B (en) * | 2020-03-10 | 2024-04-12 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
| CN113282928B (en) * | 2021-06-11 | 2022-12-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device, system, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103793649A (en) | Method and device for cloud-based safety scanning of files | |
| CN107729352B (en) | Page resource loading method and terminal equipment | |
| US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
| CN103632096B (en) | A kind of method and apparatus that safety detection is carried out to equipment | |
| KR101402057B1 (en) | Analyzing system of repackage application through calculation of risk and method thereof | |
| KR101161493B1 (en) | Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform | |
| US7620990B2 (en) | System and method for unpacking packed executables for malware evaluation | |
| US20220027470A1 (en) | Context-based analysis of applications | |
| JP5599892B2 (en) | Malware detection and response to malware using link files | |
| CN102882875B (en) | Active defense method and device | |
| CN110826064A (en) | A malicious file processing method, device, electronic device and storage medium | |
| CN103473501B (en) | A malware tracking method based on cloud security | |
| US8959624B2 (en) | Executable download tracking system | |
| CN106709346B (en) | Document handling method and device | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| US20160371492A1 (en) | Method and system for searching and killing macro virus | |
| CN105095759A (en) | File detection method and device | |
| CN103618626A (en) | Method and system for generating safety analysis report on basis of logs | |
| CN104700029B (en) | A kind of software online test method, device and server | |
| JP5478390B2 (en) | Log extraction system and program | |
| CN103679027A (en) | Searching and killing method and device for kernel level malware | |
| CN105095758B (en) | Screen locking applied program processing method, device and mobile terminal | |
| CN104239798B (en) | Mobile terminal, server end in mobile office system and its virus method and system | |
| CN113688390A (en) | Virus file checking method and device, electronic equipment and storage medium | |
| CN113656809A (en) | Mirror image security detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140514 |