CN107786413B - Method for browsing e-mail and user terminal - Google Patents
Method for browsing e-mail and user terminal Download PDFInfo
- Publication number
- CN107786413B CN107786413B CN201610712468.2A CN201610712468A CN107786413B CN 107786413 B CN107786413 B CN 107786413B CN 201610712468 A CN201610712468 A CN 201610712468A CN 107786413 B CN107786413 B CN 107786413B
- Authority
- CN
- China
- Prior art keywords
- malicious
- sandbox
- attachment
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/23—Reliability checks, e.g. acknowledgments or fault reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Obtaining a malicious attachment of a malicious email; sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment; and receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information. Therefore, in the actual office environment, the malicious attachments of the malicious emails sent into the sandbox and opened can be browsed safely by remotely browsing the malicious attachments of the malicious emails.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a user terminal for browsing an email.
Background
The APT (Advanced Persistent Threat) attack has been presented in the public field of vision as an Advanced attack means in recent years due to its characteristics of difficult detection, long duration, clear attack target and the like, and all of the attacks are the APT attack, such as aurora attack, seismograph attack, night dragon attack and the like. The APT attack is to send a malicious attachment using a 0Day (the connotation of 0Day is "instantaneity") vulnerability to a user in the form of e-mail or the like, once the user opens the malicious attachment, the 0Day vulnerability is triggered, an attack code is injected into a user system, and subsequent operations such as downloading other viruses and trojans are performed to facilitate long-term latent operation, while traditional firewalls and enterprise antivirus software have very limited detection and protection capabilities for such malicious attachment or code without characteristic signatures.
At present, a method of combining static engine analysis and dynamic engine analysis is usually adopted for defending against APT attack to determine whether a received email is a malicious email, when an email is determined as a malicious email, in order to avoid that the actual office environment of a user is damaged, security equipment of an enterprise generally intercepts the malicious email at an email server directly, or reminds the user that the email is malicious, and at this time, the determined attachment of the malicious email is considered to be a malicious attachment. However, when determining whether a received email is a malicious email, the method has the problem of false alarm, which may cause that a normal email is intercepted due to the false alarm, so that a user cannot receive and view the email, and when the user needs to browse a malicious attachment determined as a malicious email, there is a risk of causing an attack on the actual office environment of the user.
Therefore, in an actual office environment, the problem that malicious attachments of malicious emails cannot be safely browsed exists.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a terminal for browsing an email, which solve the problem that malicious attachments of malicious emails cannot be safely browsed in an actual office environment.
In order to achieve the above object, an embodiment of the present invention provides a method for browsing an email, including:
acquiring a malicious attachment of a malicious email;
sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment;
and receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information.
The present invention also provides a user terminal for browsing electronic mail, comprising:
the acquisition module is used for acquiring the malicious attachments of the malicious e-mails;
the sending module is used for sending the malicious attachment to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment;
and the remote browsing module is used for receiving the address information of the sandbox process returned by the sandbox and remotely browsing the malicious attachment in the sandbox process by using the address information.
Embodiments of the present invention also provide a computer storage medium, in which one or more programs executable by a computer are stored, and when the one or more programs are executed by the computer, the computer is caused to execute the method for browsing electronic mails provided above.
One of the above technical solutions has the following advantages or beneficial effects:
obtaining a malicious attachment of a malicious email; sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment; and receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information. Therefore, in the actual office environment, the malicious attachments of the malicious emails sent into the sandbox and opened can be browsed safely by remotely browsing the malicious attachments of the malicious emails.
Drawings
Fig. 1 is a schematic flowchart illustrating a method for browsing an email according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating another method for browsing email according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating another method for browsing email according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating another method for browsing email according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of extracting, storing and communicating malicious emails by the mail server in the first application scenario in the embodiment of the present invention;
FIG. 6 is a flowchart illustrating a first application scenario implementing browsing of an email according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of malicious email extraction, storage, and communication performed by the mail server in the second application scenario in the embodiment of the present invention;
FIG. 8 is a flowchart illustrating a second application scenario implementing browsing of emails according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a user terminal according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of another user terminal according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of another ue according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of another user terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings and specific embodiments.
As shown in fig. 1, an embodiment of the present invention provides a flowchart of a method for browsing an email, including the following steps:
s101, acquiring a malicious attachment of a malicious email;
in the embodiment of the invention, when the mail server receives the electronic mail, the safety equipment of the mail server can judge whether the electronic mail is a malicious electronic mail, and when the electronic mail is judged to be the malicious electronic mail, the malicious electronic mail can be intercepted or a malicious mark is added on the malicious electronic mail, so that the malicious electronic mail can be prevented from being opened by a user under the condition that the user does not know that the risk exists.
The above-mentioned obtaining of the malicious attachment of the malicious email can be understood as: the method comprises the steps that a user terminal receives an intercepted mail mark of a malicious electronic mail input by a user or a mail mark of the mail obtained by opening operation of the malicious electronic mail added with the malicious mark by the user, and sends the mail mark to a mail server so as to request the mail server to send a malicious attachment corresponding to the mail mark to the user terminal. And storing the malicious attachment of the malicious electronic mail and the mail mark thereof in a mail server in a corresponding association manner.
And S102, sending the malicious attachment to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment.
In the embodiment of the invention, after receiving the malicious attachment, the user terminal sends the malicious attachment to the sandbox, generates a new sandbox process in the sandbox through the sandbox technology, and opens the malicious file in the sandbox process. When the malicious file is opened in the sandbox process, the malicious file opened by the sandbox process can be redirected in a virtualization mode, namely the opening operation of the malicious file is virtual, the real malicious file cannot be changed, and therefore it can be guaranteed that viruses downloaded after the malicious file is opened cannot change and damage a system.
Step S103, receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information.
In the embodiment of the invention, after the malicious attachment is opened in the sandbox process, the sandbox can send address information to the user terminal, when the user terminal receives the address information returned by the sandbox, the user terminal can use the address information to establish remote connection with the sandbox, and the user browses the malicious attachment opened in the sandbox process through the user terminal establishing remote connection with the sandbox, so that the malicious electronic mail judged by the safety equipment of the mail server can be safely browsed. The address information may be protocol information or port information of the sandbox process or a combination of the protocol information and the port information, and of course, may also be other information that may be used to establish a remote connection between the user terminal and the sandbox, which is not limited herein.
In this embodiment of the present invention, the user terminal may be any terminal device capable of browsing an email, for example: desktop computers, notebook computers, palmtop computers, Mobile phones, Tablet Personal computers (Tablet Personal computers), Laptop computers (Laptop computers), Personal Digital Assistants (PDAs), Mobile Internet Devices (MIDs), Wearable devices (Wearable devices), and the like.
In the embodiment of the invention, the malicious attachment of the malicious e-mail is obtained; sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment; and receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information. Therefore, in the actual office environment, the malicious attachments of the malicious emails sent into the sandbox and opened can be browsed safely by remotely browsing the malicious attachments of the malicious emails.
As shown in fig. 2, an embodiment of the present invention provides a flowchart of a method for browsing an email, including the following steps:
step S201, acquiring a malicious attachment of the malicious email;
in the embodiment of the invention, the user terminal receives the mail mark of the intercepted malicious electronic mail input by the user or the mail mark of the mail obtained by the opening operation of the malicious electronic mail added with the malicious mark by the user, and sends the mail mark to the mail server so as to request the mail server to send the malicious attachment corresponding to the mail mark to the user terminal. And storing the malicious attachment of the malicious electronic mail and the mail mark thereof in a mail server in a corresponding association manner. The malicious attachment can be any attachment in the forms of text, webpage, picture and the like; the mail mark may be a serial number stored in the mail server as a malicious attachment of a malicious e-mail, or may be other information for identifying the mail.
Step S202, sending the malicious attachment to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment;
in the embodiment of the invention, after receiving the malicious attachment, the user terminal sends the malicious attachment to the sandbox, generates a new sandbox process in the sandbox through the sandbox technology, and opens the malicious file in the sandbox process. Wherein, the sandbox can be any sandbox. In embodiments of the invention, a lightweight sandbox may be employed. Lightweight sandboxes can save computing resources to some extent.
Step S203, receiving the protocol information and the port information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the protocol information and the port information.
In the embodiment of the invention, after the malicious attachment is opened in the sandbox process, the sandbox can send the protocol information and the port information of the malicious attachment to the user terminal, when the user terminal receives the protocol information and the port information returned by the sandbox, the user terminal can use the protocol information and the port information to establish remote connection with the sandbox, and the user browses the malicious attachment opened in the sandbox process through the user terminal establishing remote connection with the sandbox, so that the malicious e-mail judged by the safety equipment of the mail server can be safely browsed.
Optionally, the step S201 may include: acquiring a malicious attachment and a mail identifier of the malicious electronic mail; the step 202 may include: sending the malicious attachment and the mail identification to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment, and associating the mail identification with the sandbox process; after step S203, the method may further include: and sending the mail identifier and an end request to the sandbox so that the sandbox responds to the end request and destroys the sandbox process associated with the mail identifier.
In the embodiment of the invention, a user terminal can obtain a mail identifier of a malicious electronic mail when the user inputs or maliciously opens the electronic mail, and sends the mail identifier to a mail server, the mail server is requested to send a malicious attachment associated with the mail identifier to the user terminal, the user terminal sends the obtained mail identifier and the malicious attachment to a sandbox, the sandbox can generate a sandbox process for opening the malicious attachment, and associates protocol information of the sandbox process with the mail identifier and records the protocol information and the mail identifier in an association table, when the user terminal receives the operation of completing browsing by the user, the user terminal sends the mail identifier corresponding to the browsed malicious attachment and an ending request to the sandbox, the sandbox responds to the ending request, inquires the protocol information corresponding to the mail identifier in the association table, and destroys the sandbox process with the protocol information, thereby avoiding the wasting of resources of the sandbox.
Optionally, as shown in fig. 3, before the step S201, the method may further include:
step S204, receiving a reminding message which is sent by the mail server and intercepts the malicious electronic mail, wherein the reminding message comprises a mail identifier of the malicious electronic mail, and the mail identifier of the malicious electronic mail is associated with a malicious attachment of the malicious electronic mail and is stored in the mail server;
the step S201 may include: and calling the malicious attachment associated with the mail identification from the mail server according to the received mail identification input by the user.
In the embodiment of the invention, after the safety equipment of the mail server judges that the electronic mail piece is a malicious electronic mail, the mail server intercepts the malicious electronic mail and restores the flow of the malicious electronic mail so as to extract the malicious attachment and the corresponding mail identification in the malicious electronic mail. And then the malicious attachment is associated with the mail identification by establishing an association table, and the malicious file is stored in a mail server. After establishing the association between the mail mark and the malicious attachment, the mail server sends a reminding message to the user terminal, wherein the reminding message comprises the mail mark of the intercepted malicious electronic mail.
And after receiving the reminding message sent by the mail server, the user terminal reminds the user and informs the user of the mail identification of the intercepted malicious electronic mail. When a user needs to browse a malicious attachment of a certain intercepted malicious electronic mail, a mail identifier of the malicious electronic mail can be input through a user terminal, the user terminal requests a mail server to send the malicious attachment associated with the mail identifier according to the received mail identifier input by the user, the mail server responds to the request of the user terminal, and the malicious electronic mail associated with the mail identifier is inquired through the association table and is sent to the user terminal.
Optionally, as shown in fig. 4, before the step S201, the method may further include:
and step S205, receiving the malicious e-mail which is added with the malicious mark and sent by the mail server, wherein the malicious e-mail comprises a mail mark and a malicious attachment, and the mail mark and the malicious attachment are associated and stored in the mail server.
And step S206, sending the mail mark to the mail server according to the received opening operation of the user on the malicious electronic mail.
The step S201 may include: and receiving the malicious attachment which is returned by the mail server and is associated with the mail mark.
In the embodiment of the invention, after the safety equipment of the mail server judges that the electronic mail piece is a malicious electronic mail, the mail server intercepts the malicious electronic mail and restores the flow of the malicious electronic mail so as to extract the malicious attachment and the corresponding mail identification in the malicious electronic mail. And then the malicious attachment is associated with the mail identification by establishing an association table, and the malicious file is stored in a mail server. After establishing the association between the mail mark and the malicious attachment, the mail server adds the malicious mark to the malicious electronic mail and sends the malicious electronic mail to the user terminal. Wherein the malicious mark is a mark informing the user that the mail is a malicious electronic mail.
The method comprises the steps that after a user terminal receives a malicious electronic mail added with a malicious mark, the user terminal can inform the user that the malicious electronic mail is received in real time, if the user needs to browse a malicious attachment of the malicious electronic mail, the user terminal clicks the malicious electronic mail to open the malicious attachment, when the user terminal receives the malicious electronic mail with the malicious mark clicked and opened by the user, a mail mark of the malicious electronic mail can be sent to a mail server, and the mail server is requested to return the malicious attachment related to the mail mark.
In the embodiment of the invention, the protocol information and the port information of the sandbox process for opening the malicious file, which are returned by the sandbox, are used for establishing remote connection with the sandbox, so that the malicious attachment of the malicious electronic mail can be browsed remotely in the sandbox process, and the user can safely browse the malicious attachment.
The following illustrates an application scenario of the embodiment of the present invention by way of example:
as shown in fig. 5 and fig. 6, which are processes in a first application scenario of the embodiment of the present invention, where fig. 5 is a schematic flowchart of a flow of extracting, storing and communicating malicious emails by a mail server in the embodiment of the present invention, and the processes may be executed by an attachment extracting module, a storing module and a communicating module of the mail server, and include: the attachment extraction module restores the flow, extracts the malicious attachments and the corresponding mail identifications of the malicious electronic mails, and sends the malicious attachments and the mail identifications to the storage module; the storage module stores the received malicious attachments, establishes an email association table to associate the malicious files with the email identifications, and sends the email identifications to the communication module; and the communication module sends the mail identification to the user terminal. It should be noted that the above-mentioned process is only a process for explaining the extraction, storage and communication of the malicious email by the mail server, and is not limited to be performed by the attachment extraction module, the storage module and the communication module.
Fig. 6 is a schematic flow chart of a first application scenario for implementing e-mail browsing in the embodiment of the present invention, where the process may be performed in a mail server, a loading unit, a user terminal, and a sandbox, and includes: the mail server stores the extracted malicious attachments of the malicious e-mails, establishes a mail association table and sends a reminding message to the user terminal; the user terminal sends a browsing start request to the loading unit and transmits a mail identifier; the method comprises the steps that a loading unit sends a mail identification and a query request to a mail server after receiving a browsing start request of a user terminal; the mail server responds to the query request, queries the mail association table according to the mail identification, obtains the associated malicious attachment and sends the malicious attachment to the loading unit; the loading unit sends the malicious attachments and the mail identifications to the sandbox; the sandbox generates a new sandbox process, opens a malicious attachment, establishes a process association table of protocol information of the sandbox process and a mail identifier, and sends the protocol information and port information of the sandbox process to the user terminal; the user terminal establishes remote connection with the sandbox according to the protocol information and the port information of the sandbox process, browses the content of the malicious file, and sends an end request and an email identifier to the sandbox when the user finishes browsing; and the sandbox inquires the associated sandbox process in the process association table according to the mail identification and destroys the sandbox process. It should be noted that the actions performed by the loading unit may be performed by the mail server or the user terminal, that is, the mail server or the user includes the loading unit.
Fig. 7 and fig. 8 show a process in a second application scenario according to an embodiment of the present invention, where fig. 7 is a schematic flowchart illustrating a process of extracting, storing, and communicating malicious emails by a mail server according to an embodiment of the present invention, and the process may be executed by an attachment extracting module, a storing module, and a mail tagging module of the mail server, and includes: the attachment extraction module restores the flow, extracts the malicious attachments and the corresponding mail identifications of the malicious electronic mails, and sends the malicious attachments and the mail identifications to the storage module; the storage module stores the received malicious attachments, establishes an email association table to associate the malicious files with the email identifications, and sends the email identifications to the email marking module; and the malicious marking module marks the malicious e-mail with a malicious mark. It should be noted that the above-mentioned processes are only processes for explaining the extraction, storage and communication of the malicious e-mails by the mail server, and are not limited to be executed by the attachment extraction module, the storage module and the malicious tagging module.
Fig. 8 is a schematic flow chart of implementing browsing an email in a second application scenario according to an embodiment of the present invention, where the process may be performed in a mail server, a loading unit, a user terminal, and a sandbox, and includes: the mail server stores the extracted malicious attachments of the malicious e-mails, establishes a mail association table and marks the malicious e-mails with malicious marks; the user terminal receives the operation that a user clicks and opens the malicious electronic mail with the malicious mark, and sends a browsing starting request and a mail mark to the loading unit; the method comprises the steps that a loading unit sends a mail identification and a query request to a mail server after receiving a browsing start request of a user terminal; the mail server responds to the query request, queries the mail association table according to the mail identification, obtains the associated malicious attachment and sends the malicious attachment to the loading unit; the loading unit sends the malicious attachments and the mail identifications to the sandbox; the sandbox generates a new sandbox process, opens a malicious attachment, establishes a process association table of protocol information of the sandbox process and a mail identifier, and sends the protocol information and port information of the sandbox process to the user terminal; the user terminal establishes remote connection with the sandbox according to the protocol information and the port information of the sandbox process, browses the content of the malicious file, and sends an end request and an email identifier to the sandbox when the user finishes browsing; and the sandbox inquires the associated sandbox process in the process association table according to the mail identification and destroys the sandbox process. It should be noted that the actions performed by the loading unit may be performed by the mail server or the user terminal, that is, the mail server or the user includes the loading unit.
As shown in fig. 9, an embodiment of the present invention provides a schematic structural diagram of a user terminal, where the user terminal 90 includes:
an obtaining module 91, configured to obtain a malicious attachment of a malicious email;
a sending module 92, configured to send the malicious attachment to a sandbox, so that the sandbox generates a sandbox process for opening the malicious attachment;
and the remote browsing module 93 is configured to receive address information of the sandbox process returned by the sandbox, and use the address information to remotely browse the malicious attachment in the sandbox process.
Optionally, the remote browsing module may be further configured to receive protocol information and port information of the sandbox process returned by the sandbox, and remotely browse the malicious attachment in the sandbox process by using the protocol information and the port information.
Optionally, the obtaining module may be further configured to obtain a malicious attachment and a mail identifier of the malicious electronic mail; the sending module may be further configured to send the malicious attachment and the mail identifier to a sandbox, so that the sandbox generates a sandbox process for opening the malicious attachment, and associates the mail identifier with the sandbox process; as shown in fig. 10, the user terminal 90 may further include a process ending request module 94, configured to send the mail identifier and an ending request to the sandbox, so that the sandbox destroys the sandbox process associated with the mail identifier in response to the ending request.
Optionally, as shown in fig. 11, the user terminal 90 may further include:
a reminding module 95, configured to receive a reminding message sent by the mail server and used for intercepting the malicious email, where the reminding message includes a mail identifier of the malicious email, and the mail identifier of the malicious email is associated with a malicious attachment of the malicious email and stored in the mail server;
the obtaining module 91 may be further configured to retrieve the malicious attachment associated with the mail identifier from the mail server according to the received mail identifier input by the user.
Optionally, as shown in fig. 12, the user terminal 90 may further include:
a malicious e-mail receiving module 96, configured to receive a malicious e-mail sent by the mail server and added with a malicious tag, where the malicious e-mail includes a mail tag and a malicious attachment, and the mail tag and the malicious attachment are associated and stored in the mail server;
a mail mark sending module 97, configured to send the mail mark to the mail server according to a received opening operation of the malicious electronic mail by the user;
the obtaining module 91 may be further configured to receive the malicious attachment returned by the mail server and associated with the mail tag.
The user terminal 90 can implement each process implemented by the user terminal in the method embodiments of fig. 1 to fig. 8, and can achieve the same beneficial effects, and for avoiding repetition, details are not described here again.
It will be understood by those skilled in the art that all or part of the steps of the method for implementing the above embodiments may be implemented by hardware associated with program instructions, and the program may be stored in a computer readable medium, and when executed, the program includes the following steps:
acquiring a malicious attachment of a malicious email;
sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment;
and receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information.
Optionally, the receiving address information of the sandbox process returned by the sandbox, and using the address information to remotely browse the malicious attachment in the sandbox process includes:
and receiving protocol information and port information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the protocol information and the port information.
Optionally, the acquiring a malicious attachment of a malicious email includes:
acquiring a malicious attachment and a mail identifier of the malicious electronic mail;
the sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment comprises:
sending the malicious attachment and the mail identification to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment, and associating the mail identification with the sandbox process;
after receiving the address information of the sandbox process returned by the sandbox and remotely browsing the malicious attachment in the sandbox process by using the address information, the method further comprises the following steps:
and sending the mail identifier and an end request to the sandbox so that the sandbox responds to the end request and destroys the sandbox process associated with the mail identifier.
Optionally, before acquiring the malicious attachment of the malicious email, the method further includes:
receiving a reminding message which is sent by the mail server and intercepts the malicious electronic mail, wherein the reminding message comprises a mail identifier of the malicious electronic mail, and the mail identifier of the malicious electronic mail is associated with a malicious attachment of the malicious electronic mail and is stored in the mail server;
the method for acquiring the malicious attachment of the malicious email comprises the following steps:
and calling the malicious attachment associated with the mail identification from the mail server according to the received mail identification input by the user.
Optionally, before acquiring the malicious attachment of the malicious email, the method further includes:
receiving a malicious e-mail which is added with a malicious mark and sent by the mail server, wherein the malicious e-mail comprises a mail mark and a malicious attachment, and the mail mark and the malicious attachment are associated and stored in the mail server;
sending the mail mark to the mail server according to the received opening operation of the user on the malicious electronic mail;
the method for acquiring the malicious attachment of the malicious email comprises the following steps:
and receiving the malicious attachment which is returned by the mail server and is associated with the mail mark.
The storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (8)
1. A method for browsing electronic mail, comprising:
acquiring a malicious attachment of a malicious email;
sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment;
receiving address information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the address information;
the receiving address information of the sandbox process returned by the sandbox, and using the address information to remotely browse the malicious attachment in the sandbox process includes: and receiving protocol information and port information of the sandbox process returned by the sandbox, and remotely browsing the malicious attachment in the sandbox process by using the protocol information and the port information, wherein the malicious file opened by the sandbox process is subjected to virtualization redirection when the malicious file is opened in the sandbox process.
2. The method of claim 1, wherein obtaining the malicious attachment to the malicious email comprises:
acquiring a malicious attachment and a mail identifier of the malicious electronic mail;
the sending the malicious attachment to a sandbox to enable the sandbox to generate a sandbox process for opening the malicious attachment comprises:
sending the malicious attachment and the mail identification to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment, and associating the mail identification with the sandbox process;
after receiving the address information of the sandbox process returned by the sandbox and remotely browsing the malicious attachment in the sandbox process by using the address information, the method further comprises the following steps:
and sending the mail identifier and an end request to the sandbox so that the sandbox responds to the end request and destroys the sandbox process associated with the mail identifier.
3. The method of any of claims 1-2, wherein prior to obtaining the malicious attachment to the malicious email, further comprising:
receiving a reminding message which is sent by the mail server and intercepts the malicious electronic mail, wherein the reminding message comprises a mail identifier of the malicious electronic mail, and the mail identifier of the malicious electronic mail is associated with a malicious attachment of the malicious electronic mail and is stored in the mail server;
the method for acquiring the malicious attachment of the malicious email comprises the following steps:
and calling the malicious attachment associated with the mail identification from the mail server according to the received mail identification input by the user.
4. The method of any of claims 1-2, wherein prior to obtaining the malicious attachment to the malicious email, further comprising:
receiving a malicious e-mail which is added with a malicious mark and sent by the mail server, wherein the malicious e-mail comprises a mail mark and a malicious attachment, and the mail mark and the malicious attachment are associated and stored in the mail server;
sending the mail mark to the mail server according to the received opening operation of the user on the malicious electronic mail;
the method for acquiring the malicious attachment of the malicious email comprises the following steps:
and receiving the malicious attachment which is returned by the mail server and is associated with the mail mark.
5. A user terminal, comprising:
the acquisition module is used for acquiring the malicious attachments of the malicious e-mails;
the sending module is used for sending the malicious attachment to a sandbox so that the sandbox generates a sandbox process for opening the malicious attachment;
the remote browsing module is used for receiving the address information of the sandbox process returned by the sandbox and remotely browsing the malicious attachment in the sandbox process by using the address information;
the remote browsing module is further configured to receive protocol information and port information of the sandbox process returned by the sandbox, and remotely browse the malicious attachment in the sandbox process by using the protocol information and the port information, where the malicious file opened by the sandbox process is redirected by virtualization when the malicious file is opened in the sandbox process.
6. The user terminal of claim 5, wherein the obtaining module is further configured to obtain a malicious attachment and a mail identification of the malicious email; the sending module is further configured to send the malicious attachment and the mail identifier to a sandbox, so that the sandbox generates a sandbox process for opening the malicious attachment, and associates the mail identifier with the sandbox process; the user terminal also comprises a process ending request module which is used for sending the mail identification and the ending request to the sandbox so that the sandbox responds to the ending request and destroys the sandbox process associated with the mail identification.
7. The user terminal according to any of claims 5-6, wherein the user terminal further comprises:
the reminding module is used for receiving a reminding message which is sent by the mail server and intercepts the malicious electronic mail, wherein the reminding message comprises a mail identifier of the malicious electronic mail, and the mail identifier of the malicious electronic mail is associated with a malicious attachment of the malicious electronic mail and is stored in the mail server;
the acquisition module is further used for calling the malicious attachment associated with the mail identification from the mail server according to the received mail identification input by the user.
8. The user terminal according to any of claims 5-6, wherein the user terminal further comprises:
the malicious electronic mail receiving module is used for receiving a malicious electronic mail which is added with a malicious mark and sent by the mail server, wherein the malicious electronic mail comprises a mail mark and a malicious attachment, and the mail mark and the malicious attachment are associated and stored in the mail server;
the mail mark sending module is used for sending the mail mark to the mail server according to the received opening operation of the user on the malicious electronic mail;
the acquisition module is further used for receiving the malicious attachment which is returned by the mail server and is associated with the mail mark.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610712468.2A CN107786413B (en) | 2016-08-24 | 2016-08-24 | Method for browsing e-mail and user terminal |
| PCT/CN2017/094006 WO2018036321A1 (en) | 2016-08-24 | 2017-07-24 | Email viewing method, and user terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610712468.2A CN107786413B (en) | 2016-08-24 | 2016-08-24 | Method for browsing e-mail and user terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107786413A CN107786413A (en) | 2018-03-09 |
| CN107786413B true CN107786413B (en) | 2022-03-22 |
Family
ID=61245392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610712468.2A Active CN107786413B (en) | 2016-08-24 | 2016-08-24 | Method for browsing e-mail and user terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107786413B (en) |
| WO (1) | WO2018036321A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113949579B (en) * | 2021-10-20 | 2024-04-30 | 安天科技集团股份有限公司 | Website attack defense method and device, computer equipment and storage medium |
| CN114697381A (en) * | 2022-03-24 | 2022-07-01 | 京东科技控股股份有限公司 | Service operation method and device, storage medium and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1457181A (en) * | 2003-03-13 | 2003-11-19 | 北京无限立通通讯技术有限责任公司 | Method for realizing mobile realtime e-mail delivery by mobile short-message and mobile IP network |
| CN1961272A (en) * | 2004-06-29 | 2007-05-09 | 英特尔公司 | Method of improving computer security through sandboxing |
| CN101163274A (en) * | 2007-11-16 | 2008-04-16 | 中国联合通信有限公司 | Device, method and mail system for supporting anti-virus of electronic mail |
| CN105227570A (en) * | 2015-10-19 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of safe e-mail system of integrated campaign |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100192224A1 (en) * | 2009-01-26 | 2010-07-29 | International Business Machines Corporation | Sandbox web navigation |
| US8479286B2 (en) * | 2009-12-15 | 2013-07-02 | Mcafee, Inc. | Systems and methods for behavioral sandboxing |
| US9185064B2 (en) * | 2010-01-15 | 2015-11-10 | Microsoft Technology Licensing, Llc | Interactive email |
| US8850572B2 (en) * | 2010-01-15 | 2014-09-30 | Apple Inc. | Methods for handling a file associated with a program in a restricted program environment |
| CN102436507B (en) * | 2011-12-28 | 2014-07-16 | 奇智软件(北京)有限公司 | Method and device for browsing web pages |
| CN103955468B (en) * | 2012-03-06 | 2017-12-19 | 北京奇虎科技有限公司 | Document display method and device based on browser |
| CN102930210B (en) * | 2012-10-14 | 2015-11-25 | 江苏金陵科技集团有限公司 | Rogue program behavior automated analysis, detection and classification system and method |
| CN103268442B (en) * | 2013-05-14 | 2015-12-23 | 北京奇虎科技有限公司 | A kind of method and apparatus realizing secure access video website |
| CN103618758B (en) * | 2013-10-31 | 2017-01-11 | 新浪网技术(中国)有限公司 | Web server and system resource access control method thereof |
| CN103648049B (en) * | 2013-12-20 | 2017-01-18 | 北京奇虎科技有限公司 | Method and device for achieving safe video play |
-
2016
- 2016-08-24 CN CN201610712468.2A patent/CN107786413B/en active Active
-
2017
- 2017-07-24 WO PCT/CN2017/094006 patent/WO2018036321A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1457181A (en) * | 2003-03-13 | 2003-11-19 | 北京无限立通通讯技术有限责任公司 | Method for realizing mobile realtime e-mail delivery by mobile short-message and mobile IP network |
| CN1961272A (en) * | 2004-06-29 | 2007-05-09 | 英特尔公司 | Method of improving computer security through sandboxing |
| CN101163274A (en) * | 2007-11-16 | 2008-04-16 | 中国联合通信有限公司 | Device, method and mail system for supporting anti-virus of electronic mail |
| CN105227570A (en) * | 2015-10-19 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of safe e-mail system of integrated campaign |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018036321A1 (en) | 2018-03-01 |
| CN107786413A (en) | 2018-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| US9830454B2 (en) | Web application security access method, server, and client | |
| EP2859495B1 (en) | Malicious message detection and processing | |
| EP2859494B1 (en) | Dashboards for displaying threat insight information | |
| US10855722B1 (en) | Deception service for email attacks | |
| CN106339309B (en) | Application program testing method, client and system | |
| US20190036955A1 (en) | Detecting data exfiltration as the data exfiltration occurs or after the data exfiltration occurs | |
| CN104484259A (en) | Application program traffic monitoring method and device, and mobile terminal | |
| KR102093274B1 (en) | Content scanning agent, content scanning method, and storage media on which the program is recorded | |
| CN111404939B (en) | Mail threat detection method, device, equipment and storage medium | |
| US20230086556A1 (en) | Interactive Email Warning Tags | |
| CN104239798B (en) | Mobile terminal, server end in mobile office system and its virus method and system | |
| EP3926503A1 (en) | Dynamically providing cybersecurity training based on user-specific threat information | |
| US10885191B1 (en) | Detonate targeted malware using environment context information | |
| CN107786413B (en) | Method for browsing e-mail and user terminal | |
| CN116074278A (en) | Method, system, electronic equipment and storage medium for identifying malicious mail | |
| US8677495B1 (en) | Dynamic trap for detecting malicious applications in computing devices | |
| CN113839944B (en) | Method, device, electronic equipment and medium for coping with network attack | |
| CN111181914B (en) | Method, device and system for monitoring internal data security of local area network and server | |
| EP3685296A1 (en) | Configurable cyber-attack trackers | |
| US10079856B2 (en) | Rotation of web site content to prevent e-mail spam/phishing attacks | |
| EP3574428A1 (en) | Safe data access through any data channel | |
| US20200218832A1 (en) | Automatic Initiation of Execution Analysis | |
| US20230004638A1 (en) | Redirection of attachments based on risk and context | |
| CN114598546A (en) | Application defense method, device, equipment, medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |