Summary of the invention
The application embodiment provides the method and the device of a kind of process computer virus, kills virus each time and all All Files is scanned to solve existing antivirus engine, takies the problem of a large amount of system resources.
In order to solve the problems of the technologies described above, the application embodiment discloses following technical scheme:
The method of a kind of process computer virus is provided with some virus scan modes in advance, and said some virus scan modes shared system resource when carrying out file scan is different, and said method comprises:
Obtain file to be scanned;
According to said some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode said file to be scanned is scanned.
Said some virus scan modes comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Saidly call corresponding virus scan mode and said file to be scanned is scanned comprise:
Call the said first virus scan mode said file to be scanned is scanned, obtain the definite file in the said file to be scanned;
Calling the said second virus scan mode only scans other file except that said definite file in the said file to be scanned.
Said some virus scan modes comprise following dual mode at least according to occupying system resources series arrangement from small to large:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute information of confirming as malice file or non-malice file, and said file attribute information comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Carry out the engine scan mode of virus scan through antivirus engine.
Said according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and file to be scanned is scanned comprise:
Call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file;
Call said name single scan mode and only confirm that to removing said first in the said file to be scanned other file of file scans, obtain to comprise second second scanning result of confirming file;
Call said engine scan mode and only confirm that to removing said second in said other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Adopting the internal memory scan mode that said file to be scanned is scanned comprises:
Obtain the file attribute information of file to be scanned;
The file attribute information of preserving in said file attribute information and the buffer memory is mated;
When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Blacklist through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said blacklist is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
White list through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said white list is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
According to the scanning result of file to be scanned, confirm that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
A kind of device of process computer virus, said device comprises:
The unit is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit is used to obtain file to be scanned;
Scanning element is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
The said some virus scan modes that are provided with in the unit that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element comprises:
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement, comprise following dual mode at least:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Through spending the engine scan mode that engine carries out virus scan less.
Said scanning element comprises:
First scanning element is used to call said internal memory scan mode said file to be scanned is scanned, and obtains to comprise first first scanning result of confirming file;
Second scanning element is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file;
The 3rd scanning element is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file.
First scanning element comprises:
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Said second scanning element comprises at least one following unit:
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
Storage unit is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Can find out by the foregoing description; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Embodiment
The following embodiment of the present invention provides the method and the device of process computer virus.Among the application embodiment because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources.
In order to make those skilled in the art person understand the technical scheme in the embodiment of the invention better; And make the above-mentioned purpose of the embodiment of the invention, feature and advantage can be more obviously understandable, below in conjunction with accompanying drawing technical scheme in the embodiment of the invention done further detailed explanation.
Referring to Fig. 1, be the first embodiment process flow diagram of the viral method of the application's process computer:
Step 101: some virus scan modes are set in advance, and some virus scan modes shared system resource when carrying out file scan is different.
Wherein, Some virus scan modes are according to occupying system resources series arrangement from small to large; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Wherein scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Carry out the engine scan mode of virus scan through antivirus engine.
Step 102: obtain file to be scanned.
Step 103:, call corresponding virus scan mode and treat scanning document and scan according to some virus scan mode occupying system resources order from small to large.
Wherein, When some virus scan modes comprise the first virus scan mode and the second virus scan mode at least; And the system resource that the first virus scan mode takies is during less than the second virus scan mode; The first virus scan mode of calling is earlier treated scanning document and is scanned; Obtain the definite file in the file to be scanned, other file that the second virus scan mode of calling is then only treated in the scanning document except that confirming file scans.Wherein, confirm that file refers to confirm as the file of malice file or non-malice file.
Concrete; When adopting internal memory scan mode, name single scan mode and engine scan mode to treat scanning document simultaneously to scan; At first the invoke memory scan mode is treated scanning document and is scanned; Acquisition comprises first first scanning result of confirming file; Calling a single scan mode then only treats in the scanning document and to remove first and confirm that other file of file scans; Acquisition comprises second second scanning result of confirming file; Call the engine scan mode at last and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Referring to Fig. 2, be the second embodiment process flow diagram of the viral method of the application's process computer, this embodiment describes in detail and adopts three kinds of scan modes to treat the process that scanning document scans:
Step 201: be provided with in advance according to the tactic from small to large internal memory scan mode of occupying system resources, name single scan mode and engine scan mode.
Wherein, The internal memory scan mode refers to carry out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path etc.; The name single scan mode refers to carry out virus scan through blacklist of preserving in advance and at least a list in the white list; The engine scan mode refers to carry out through antivirus engine the engine scan mode of virus scan.
Step 202: obtain file to be scanned.
Step 203: the invoke memory scan mode is treated scanning document and is scanned, and obtains to comprise first first scanning result of confirming file.
Obtain the file attribute information of file to be scanned, for example file size, file modification time and file path etc.System's file attribute record the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
The file attribute information of preserving in file attribute information and the buffer memory is mated; When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; File to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, file to be scanned is confirmed as other file that scans through the name single scan mode.Because file attribute information comprises multiple information, therefore when mating, can mate one by one each attribute information according to preset order, for example, first matching files size, next matching files modification time, last matching files path etc.Wherein, When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 204: call a single scan mode and only treat in the scanning document and to remove first and confirm that other file of file scans, obtain to comprise second second scanning result of confirming file.
When scanning through the blacklist of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the blacklist is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second malice file of confirming file; When scanning through the white list of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the white list is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second non-malice file of confirming file.
Wherein, white list safeguarded in client by the user usually, and the file that the user will confirm as non-malice joins in the white list to be preserved, information such as filename that can log file in the white list and file path; Blacklist is safeguarded by the antivirus software provider usually, according to monitoring the malice file of confirming is joined in the blacklist and preserves.
Step 205: call the engine scan mode and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
When adopting the engine scan mode that the residue file is scanned; The antivirus engine that can adopt can comprise: cloud killing engine; QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, arbitrarily existing already present antivirus engine such as little red umbrella antivirus engine.
Step 206:, confirm that with second file attribute of file and the 3rd definite file deposits in the buffer memory according to the scanning result of file to be scanned.
Because in this scanning process; Different with definite file of in buffer memory, preserving through the name single scan mode with the definite file in the scanning result that the engine scan mode obtains; Therefore in order further to improve virus scan speed next time; Confirm file and the 3rd file attribute of confirming file with second; Comprise that file size, file modification time and file path etc. record in the buffer memory, then can directly scan through the minimum internal memory scan mode of occupying system resources these files next time.
Referring to Fig. 3, be the 3rd embodiment process flow diagram of the viral method of the application's process computer, this embodiment shows in detail through the internal memory scan mode and treats the process that scanning document scans:
Step 301: preserve the scanning result of scanning document in the buffer memory in advance, this scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path.
Step 302: order is obtained a file in the file to be scanned.
Step 303: the file size, file modification time and the file path that obtain this document.
The file attribute record of system's file the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
Step 304: whether the file size of judging this document mates with the file size of preserving in advance, if then execution in step 305, otherwise, execution in step 309.
Step 305: whether the file modification time of judging this document mates with the file modification time of preserving in advance, if then execution in step 306; Otherwise, execution in step 309.
Step 306: whether the file path of judging this document mates with the file path of preserving in advance, if then execution in step 307; Otherwise, execution in step 309.
Step 307: this document is confirmed as malice file or non-malice file according to matching result.
When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; If the file attribute information corresponding file that be complementary in the internal memory this moment is the malice file; Then the scanning result of this document is the malice file; If the file attribute information corresponding file of mating in the internal memory is non-malice file, then the scanning result of this document is non-malice file.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 308: this document is confirmed as the file that need scan through other scan mode.
When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.At this moment, this document is described for scanning through other scan mode of removing the internal memory scan mode, for example, through the name single scan mode shown in the previous embodiment, and/or the engine scan mode.
Step 309: whether mated all files to be scanned, if, process ends then, otherwise, step 302 returned.
Visible by above-mentioned the application embodiment; When file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources, improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Corresponding with the embodiment of the method for the application's process computer virus, the application also provides the embodiment of the device of process computer virus.
Referring to Fig. 4, be the first embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 410, acquiring unit 420 and scanning element 430 are set.
Wherein, unit 410 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit 420 is used to obtain file to be scanned;
Scanning element 430 is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
Wherein, the said some virus scan modes that are provided with in the unit 410 that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element 430 can specifically comprise (not shown among Fig. 4):
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Referring to Fig. 5, be the second embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 510, acquiring unit 520, scanning element 530 and storage unit 540 are set.
Wherein, unit 510 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different; Wherein, Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Through spending the engine scan mode that engine carries out virus scan less;
Acquiring unit 520 is used to obtain file to be scanned;
Scanning element 530 is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival; This scanning element 530 can comprise: first scanning element 531, and be used to call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file; Second scanning element 532 is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file; The 3rd scanning element 533 is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file;
Storage unit 540 is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Concrete, first scanning element 531 can comprise (not shown among Fig. 5):
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Concrete, second scanning element 532 can comprise (not shown among Fig. 5):
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Description through to above embodiment can be known; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
The technology that those skilled in the art can be well understood in the embodiment of the invention can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme in the embodiment of the invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium; Like ROM/RAM, magnetic disc, CD etc.; Comprise that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for system embodiment, because it is basically similar in appearance to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Above-described embodiment of the present invention does not constitute the qualification to protection domain of the present invention.Any modification of within spirit of the present invention and principle, being done, be equal to replacement and improvement etc., all should be included within protection scope of the present invention.