CN102346827A - Method and device for handling computer viruses - Google Patents

Method and device for handling computer viruses Download PDF

Info

Publication number
CN102346827A
CN102346827A CN2011102777463A CN201110277746A CN102346827A CN 102346827 A CN102346827 A CN 102346827A CN 2011102777463 A CN2011102777463 A CN 2011102777463A CN 201110277746 A CN201110277746 A CN 201110277746A CN 102346827 A CN102346827 A CN 102346827A
Authority
CN
China
Prior art keywords
file
scanned
scan mode
virus scan
scanning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011102777463A
Other languages
Chinese (zh)
Other versions
CN102346827B (en
Inventor
付旻
邹贵强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing 360 Zhiling Technology Co ltd
Original Assignee
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qizhi Software Beijing Co Ltd filed Critical Qizhi Software Beijing Co Ltd
Priority to CN201110277746.3A priority Critical patent/CN102346827B/en
Priority to CN201410268281.9A priority patent/CN104063662B/en
Publication of CN102346827A publication Critical patent/CN102346827A/en
Priority to PCT/CN2012/081574 priority patent/WO2013041016A1/en
Priority to US14/345,649 priority patent/US20150020203A1/en
Application granted granted Critical
Publication of CN102346827B publication Critical patent/CN102346827B/en
Priority to US14/859,791 priority patent/US10165001B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method and device for handling computer viruses. A plurality of virus scanning modes are preset; and system resources occupied by the plurality of virus scanning modes during scanning files are different. The method comprises the following steps of: acquiring files to be scanned; and calling corresponding virus scanning modes to scan the files to be scanned according to the sequence from small to large that the virus scanning modes occupy the system resources. The embodiment of the invention is applied to scanning the viruses and the corresponding virus scanning modes are called according to the sequence from small to large that the virus scanning modes occupy the system resources, so that the viruses are scanned by using the virus scanning mode occupying fewer the system resources, such as a memory scanning mode, further the amount of the files required to be scanned by the virus scanning modes occupying more system resources is reduced, the virus scanning speed of the system is improved and the system resources are saved.

Description

The method and the device of process computer virus
Technical field
The application relates to field of computer technology, particularly relates to a kind of method and device of process computer virus.
Background technology
Computer virus is the data of establishment or the destruction computer function that in computer program, inserts, its can influence computing machine normal use and can self-replacation, the form with a set of computer instructions or program code appears usually.And antivirus engine be exactly one the cover judge whether the specific program behavior is the Virus technology mechanism of (comprising suspicious program).Antivirus engine is the major part of antivirus software, is the program that detects and find virus, and virus base is the characteristic set of the virus that has been found that.In the virus killing process, remove to contrast all programs or file in the machine with the characteristic in the virus base, for program that meets these characteristics or file, be judged to be virus.
The inventor finds in the research process to prior art; The process that adopts antivirus engine to kill virus each time is independent mutually; Promptly once adopt antivirus engine file is scanned which kind of result of back output before no matter; Still adopt antivirus engine that All Files is scanned, the virus document type of finding in twice scanning process in front and back maybe be identical next time.Hence one can see that, though antivirus engine has the powerful characteristics of virus killing, when each employing antivirus engine scans All Files, all will take a large amount of system resource.
Summary of the invention
The application embodiment provides the method and the device of a kind of process computer virus, kills virus each time and all All Files is scanned to solve existing antivirus engine, takies the problem of a large amount of system resources.
In order to solve the problems of the technologies described above, the application embodiment discloses following technical scheme:
The method of a kind of process computer virus is provided with some virus scan modes in advance, and said some virus scan modes shared system resource when carrying out file scan is different, and said method comprises:
Obtain file to be scanned;
According to said some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode said file to be scanned is scanned.
Said some virus scan modes comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Saidly call corresponding virus scan mode and said file to be scanned is scanned comprise:
Call the said first virus scan mode said file to be scanned is scanned, obtain the definite file in the said file to be scanned;
Calling the said second virus scan mode only scans other file except that said definite file in the said file to be scanned.
Said some virus scan modes comprise following dual mode at least according to occupying system resources series arrangement from small to large:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute information of confirming as malice file or non-malice file, and said file attribute information comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Carry out the engine scan mode of virus scan through antivirus engine.
Said according to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and file to be scanned is scanned comprise:
Call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file;
Call said name single scan mode and only confirm that to removing said first in the said file to be scanned other file of file scans, obtain to comprise second second scanning result of confirming file;
Call said engine scan mode and only confirm that to removing said second in said other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Adopting the internal memory scan mode that said file to be scanned is scanned comprises:
Obtain the file attribute information of file to be scanned;
The file attribute information of preserving in said file attribute information and the buffer memory is mated;
When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Blacklist through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said blacklist is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
White list through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said white list is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
According to the scanning result of file to be scanned, confirm that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
A kind of device of process computer virus, said device comprises:
The unit is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit is used to obtain file to be scanned;
Scanning element is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
The said some virus scan modes that are provided with in the unit that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element comprises:
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement, comprise following dual mode at least:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Through spending the engine scan mode that engine carries out virus scan less.
Said scanning element comprises:
First scanning element is used to call said internal memory scan mode said file to be scanned is scanned, and obtains to comprise first first scanning result of confirming file;
Second scanning element is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file;
The 3rd scanning element is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file.
First scanning element comprises:
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Said second scanning element comprises at least one following unit:
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Also comprise:
Storage unit is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Can find out by the foregoing description; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Description of drawings
In order to be illustrated more clearly in the application embodiment or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously; For those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the first embodiment process flow diagram of the method for the application's process computer virus;
Fig. 2 is the second embodiment process flow diagram of the method for the application's process computer virus;
Fig. 3 is the 3rd an embodiment process flow diagram of the method for the application's process computer virus;
Fig. 4 is the first embodiment block diagram of the device of the application's process computer virus;
Fig. 5 is the second embodiment block diagram of the device of the application's process computer virus.
Embodiment
The following embodiment of the present invention provides the method and the device of process computer virus.Among the application embodiment because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources.
In order to make those skilled in the art person understand the technical scheme in the embodiment of the invention better; And make the above-mentioned purpose of the embodiment of the invention, feature and advantage can be more obviously understandable, below in conjunction with accompanying drawing technical scheme in the embodiment of the invention done further detailed explanation.
Referring to Fig. 1, be the first embodiment process flow diagram of the viral method of the application's process computer:
Step 101: some virus scan modes are set in advance, and some virus scan modes shared system resource when carrying out file scan is different.
Wherein, Some virus scan modes are according to occupying system resources series arrangement from small to large; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Wherein scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Carry out the engine scan mode of virus scan through antivirus engine.
Step 102: obtain file to be scanned.
Step 103:, call corresponding virus scan mode and treat scanning document and scan according to some virus scan mode occupying system resources order from small to large.
Wherein, When some virus scan modes comprise the first virus scan mode and the second virus scan mode at least; And the system resource that the first virus scan mode takies is during less than the second virus scan mode; The first virus scan mode of calling is earlier treated scanning document and is scanned; Obtain the definite file in the file to be scanned, other file that the second virus scan mode of calling is then only treated in the scanning document except that confirming file scans.Wherein, confirm that file refers to confirm as the file of malice file or non-malice file.
Concrete; When adopting internal memory scan mode, name single scan mode and engine scan mode to treat scanning document simultaneously to scan; At first the invoke memory scan mode is treated scanning document and is scanned; Acquisition comprises first first scanning result of confirming file; Calling a single scan mode then only treats in the scanning document and to remove first and confirm that other file of file scans; Acquisition comprises second second scanning result of confirming file; Call the engine scan mode at last and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
Referring to Fig. 2, be the second embodiment process flow diagram of the viral method of the application's process computer, this embodiment describes in detail and adopts three kinds of scan modes to treat the process that scanning document scans:
Step 201: be provided with in advance according to the tactic from small to large internal memory scan mode of occupying system resources, name single scan mode and engine scan mode.
Wherein, The internal memory scan mode refers to carry out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path etc.; The name single scan mode refers to carry out virus scan through blacklist of preserving in advance and at least a list in the white list; The engine scan mode refers to carry out through antivirus engine the engine scan mode of virus scan.
Step 202: obtain file to be scanned.
Step 203: the invoke memory scan mode is treated scanning document and is scanned, and obtains to comprise first first scanning result of confirming file.
Obtain the file attribute information of file to be scanned, for example file size, file modification time and file path etc.System's file attribute record the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
The file attribute information of preserving in file attribute information and the buffer memory is mated; When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; File to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, file to be scanned is confirmed as other file that scans through the name single scan mode.Because file attribute information comprises multiple information, therefore when mating, can mate one by one each attribute information according to preset order, for example, first matching files size, next matching files modification time, last matching files path etc.Wherein, When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 204: call a single scan mode and only treat in the scanning document and to remove first and confirm that other file of file scans, obtain to comprise second second scanning result of confirming file.
When scanning through the blacklist of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the blacklist is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second malice file of confirming file; When scanning through the white list of preserving in advance; The filename of preserving in advance in the filename of each file in other file and the white list is compared; When the filename of certain file mates with the filename of preserving in advance, confirm that certain file is to belong to the second non-malice file of confirming file.
Wherein, white list safeguarded in client by the user usually, and the file that the user will confirm as non-malice joins in the white list to be preserved, information such as filename that can log file in the white list and file path; Blacklist is safeguarded by the antivirus software provider usually, according to monitoring the malice file of confirming is joined in the blacklist and preserves.
Step 205: call the engine scan mode and only confirm that to removing second in other file the residue file of file scans, obtain to comprise the 3rd the 3rd scanning result of confirming file.
When adopting the engine scan mode that the residue file is scanned; The antivirus engine that can adopt can comprise: cloud killing engine; QVM (Qihoo Virtual Machine, artificial intelligence engine) engine, arbitrarily existing already present antivirus engine such as little red umbrella antivirus engine.
Step 206:, confirm that with second file attribute of file and the 3rd definite file deposits in the buffer memory according to the scanning result of file to be scanned.
Because in this scanning process; Different with definite file of in buffer memory, preserving through the name single scan mode with the definite file in the scanning result that the engine scan mode obtains; Therefore in order further to improve virus scan speed next time; Confirm file and the 3rd file attribute of confirming file with second; Comprise that file size, file modification time and file path etc. record in the buffer memory, then can directly scan through the minimum internal memory scan mode of occupying system resources these files next time.
Referring to Fig. 3, be the 3rd embodiment process flow diagram of the viral method of the application's process computer, this embodiment shows in detail through the internal memory scan mode and treats the process that scanning document scans:
Step 301: preserve the scanning result of scanning document in the buffer memory in advance, this scanning result comprises the file attribute information of confirming as malice file or non-malice file, and file attribute information comprises file size, file modification time and file path.
Step 302: order is obtained a file in the file to be scanned.
Step 303: the file size, file modification time and the file path that obtain this document.
The file attribute record of system's file the attribute informations such as file size, modification time and file path of this document after being modified for the last time, attribute information carries out real-time update according to file modifying.
Step 304: whether the file size of judging this document mates with the file size of preserving in advance, if then execution in step 305, otherwise, execution in step 309.
Step 305: whether the file modification time of judging this document mates with the file modification time of preserving in advance, if then execution in step 306; Otherwise, execution in step 309.
Step 306: whether the file path of judging this document mates with the file path of preserving in advance, if then execution in step 307; Otherwise, execution in step 309.
Step 307: this document is confirmed as malice file or non-malice file according to matching result.
When all properties information of a certain file all with buffer memory in the file attribute information preserved when consistent; The file attribute coupling of just preserving in file attribute of definite this document and the buffer memory; If the file attribute information corresponding file that be complementary in the internal memory this moment is the malice file; Then the scanning result of this document is the malice file; If the file attribute information corresponding file of mating in the internal memory is non-malice file, then the scanning result of this document is non-malice file.
Carry out virus scan because the internal memory scan mode is the scanning result according to the scanning document of preserving in the buffer memory, therefore the definite file in first scanning result that obtains through coupling is a file set of having confirmed as malice file and non-malice file according to scanning last time.Because the memory information reading speed is fast, and the variation that virus document takes place in twice scanning process in front and back is little, therefore can carry out killing to the most of file in the system through the internal memory scan mode, has therefore promoted killing speed, has practiced thrift system resource.
Step 308: this document is confirmed as the file that need scan through other scan mode.
When the file attribute information of preserving in any one attribute information of a certain file and the buffer memory is inconsistent, confirm that then the file attribute of preserving in file attribute and the buffer memory of this document does not match.At this moment, this document is described for scanning through other scan mode of removing the internal memory scan mode, for example, through the name single scan mode shown in the previous embodiment, and/or the engine scan mode.
Step 309: whether mated all files to be scanned, if, process ends then, otherwise, step 302 returned.
Visible by above-mentioned the application embodiment; When file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources, improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
Corresponding with the embodiment of the method for the application's process computer virus, the application also provides the embodiment of the device of process computer virus.
Referring to Fig. 4, be the first embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 410, acquiring unit 420 and scanning element 430 are set.
Wherein, unit 410 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit 420 is used to obtain file to be scanned;
Scanning element 430 is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
Wherein, the said some virus scan modes that are provided with in the unit 410 that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element 430 can specifically comprise (not shown among Fig. 4):
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
Referring to Fig. 5, be the second embodiment block diagram of the viral device of the application's process computer:
This device comprises: unit 510, acquiring unit 520, scanning element 530 and storage unit 540 are set.
Wherein, unit 510 is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different; Wherein, Said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement; Comprise following dual mode at least: the internal memory scan mode of carrying out virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path; A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list; Through spending the engine scan mode that engine carries out virus scan less;
Acquiring unit 520 is used to obtain file to be scanned;
Scanning element 530 is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival; This scanning element 530 can comprise: first scanning element 531, and be used to call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file; Second scanning element 532 is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file; The 3rd scanning element 533 is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file;
Storage unit 540 is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
Concrete, first scanning element 531 can comprise (not shown among Fig. 5):
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
Concrete, second scanning element 532 can comprise (not shown among Fig. 5):
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
Description through to above embodiment can be known; Some virus scan modes are set among the application embodiment in advance; These virus scan modes shared system resource when carrying out file scan is different; Obtain file to be scanned; According to some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode and treat scanning document and scan.Use the application embodiment file is carried out virus scan; Because according to the corresponding virus scan mode of occupying system resources sequence call from small to large; Therefore can pass through the less virus scan mode of occupying system resources earlier; For example the internal memory scan mode scans file; Thereby reduce the quantity of documents of the bigger required scanning of virus scan mode of occupying system resources; Improve the virus scan speed of system thus, conserve system resources; Further, because the less internal memory scan mode of occupying system resources can be preserved the scanning result of preceding single pass, when therefore scanning once more, can confirm the scanning result of most of file through the internal memory scan mode, thereby further promote sweep velocity.
The technology that those skilled in the art can be well understood in the embodiment of the invention can realize by the mode that software adds essential general hardware platform.Based on such understanding; The part that technical scheme in the embodiment of the invention contributes to prior art in essence in other words can be come out with the embodied of software product; This computer software product can be stored in the storage medium; Like ROM/RAM, magnetic disc, CD etc.; Comprise that some instructions are with so that a computer equipment (can be a personal computer; Server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Each embodiment in this instructions all adopts the mode of going forward one by one to describe, and identical similar part is mutually referring to getting final product between each embodiment, and each embodiment stresses all is the difference with other embodiment.Especially, for system embodiment, because it is basically similar in appearance to method embodiment, so description is fairly simple, relevant part gets final product referring to the part explanation of method embodiment.
Above-described embodiment of the present invention does not constitute the qualification to protection domain of the present invention.Any modification of within spirit of the present invention and principle, being done, be equal to replacement and improvement etc., all should be included within protection scope of the present invention.

Claims (14)

1. the method for process computer virus is characterized in that, some virus scan modes are set in advance, and said some virus scan modes shared system resource when carrying out file scan is different, and said method comprises:
Obtain file to be scanned;
According to said some virus scan mode occupying system resources order from small to large, call corresponding virus scan mode said file to be scanned is scanned.
2. method according to claim 1; It is characterized in that; Said some virus scan modes comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Saidly call corresponding virus scan mode and said file to be scanned is scanned comprise:
Call the said first virus scan mode said file to be scanned is scanned, obtain the definite file in the said file to be scanned;
Calling the said second virus scan mode only scans other file except that said definite file in the said file to be scanned.
3. method according to claim 1 is characterized in that, said some virus scan modes comprise following dual mode at least according to occupying system resources series arrangement from small to large:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute information of confirming as malice file or non-malice file, and said file attribute information comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Carry out the engine scan mode of virus scan through antivirus engine.
4. method according to claim 3 is characterized in that, and is said according to some virus scan mode occupying system resources order from small to large, calls corresponding virus scan mode and file to be scanned is scanned comprises:
Call said internal memory scan mode said file to be scanned is scanned, obtain to comprise first first scanning result of confirming file;
Call said name single scan mode and only confirm that to removing said first in the said file to be scanned other file of file scans, obtain to comprise second second scanning result of confirming file;
Call said engine scan mode only to confirming that except that said second the residue file the file scans in said other file, obtain to comprise the 3rd the 3rd scanning result of confirming file.
5. method according to claim 4 is characterized in that, adopts the internal memory scan mode that said file to be scanned is scanned and comprises:
Obtain the file attribute information of file to be scanned;
The file attribute information of preserving in said file attribute information and the buffer memory is mated;
When the file attribute coupling of preserving in the file attribute of file to be scanned and the buffer memory; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
6. method according to claim 4 is characterized in that,
Blacklist through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said blacklist is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
White list through preserving in advance comprises scanning through other file that removes said first definite file after the scanning of internal memory scan mode:
The filename of preserving in advance in the filename of each file in said other file and the said white list is compared; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
7. method according to claim 4 is characterized in that, also comprises:
According to the scanning result of file to be scanned, confirm that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
8. the device of process computer virus is characterized in that said device comprises:
The unit is set, is used for being provided with in advance some virus scan modes, said some virus scan modes shared system resource when carrying out file scan is different;
Acquiring unit is used to obtain file to be scanned;
Scanning element is used for calling corresponding virus scan mode said file to be scanned being scanned according to the order of said some virus scan mode occupying system resources from little arrival.
9. device according to claim 8; It is characterized in that; The said some virus scan modes that are provided with in the unit that are provided with comprise the first virus scan mode and the second virus scan mode at least, and the system resource that the said first virus scan mode takies is less than the said second virus scan mode;
Said scanning element comprises:
First calls scanning element, is used to call the said first virus scan mode said file to be scanned is scanned, and obtains the definite file in the said file to be scanned;
Second calls scanning element, is used for calling the said second virus scan mode and only said file to be scanned other file except that said definite file is scanned, and obtains second scanning result.
10. device according to claim 8 is characterized in that, said be provided with some virus scan modes that the unit is provided with according to occupying system resources from little arrival series arrangement, comprise following dual mode at least:
Carry out the internal memory scan mode of virus scan according to the scanning result of the scanning document of preserving in the buffer memory; Said scanning result comprises the file attribute of confirming as malice file or non-malice file, and said file attribute comprises file size, file modification time and file path;
A single scan mode that carries out virus scan through the blacklist preserved in advance and at least a list in the white list;
Through spending the engine scan mode that engine carries out virus scan less.
11. device according to claim 10 is characterized in that, said scanning element comprises:
First scanning element is used to call said internal memory scan mode said file to be scanned is scanned, and obtains to comprise first first scanning result of confirming file;
Second scanning element is used for calling said name single scan mode and only said file to be scanned is confirmed that except that said first other file of file scans, and obtains to comprise second second scanning result of confirming file;
The 3rd scanning element is used for calling said engine scan mode and only said other file is confirmed that except that said second the residue file of file scans, and obtains to comprise the 3rd the 3rd scanning result of confirming file.
12. device according to claim 11 is characterized in that, first scanning element comprises:
Information acquisition unit is used to obtain the file attribute information of file to be scanned;
The information matches unit is used for the file attribute information that said file attribute information and buffer memory are preserved is mated;
The result confirms the unit; When the file attribute that is used for preserving when the file attribute and the buffer memory of file to be scanned mates; Said file to be scanned is confirmed as malice file or non-malice file; When the file attribute of preserving in the file attribute of file to be scanned and the buffer memory does not match, said file to be scanned is confirmed as other file that scans through the name single scan mode.
13. device according to claim 11 is characterized in that, said second scanning element comprises at least one following unit:
The blacklist scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said blacklist compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second malice file of confirming file;
The white list scanning element; The filename that is used for preserving in advance in the filename of each file of said other file and the said white list compares; When the filename of certain file and said filename coupling of preserving in advance, confirm that said certain file is to belong to the said second non-malice file of confirming file.
14. device according to claim 11 is characterized in that, also comprises:
Storage unit is used for the scanning result according to said second scanning element and the 3rd scanning element, confirms that with said second the file attribute of file and the 3rd definite file deposits in the buffer memory.
CN201110277746.3A 2011-09-19 2011-09-19 Method and device for handling computer viruses Active CN102346827B (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201110277746.3A CN102346827B (en) 2011-09-19 2011-09-19 Method and device for handling computer viruses
CN201410268281.9A CN104063662B (en) 2011-09-19 2011-09-19 Method and device for processing computer virus
PCT/CN2012/081574 WO2013041016A1 (en) 2011-09-19 2012-09-19 Method and device for processing computer viruses
US14/345,649 US20150020203A1 (en) 2011-09-19 2012-09-19 Method and device for processing computer viruses
US14/859,791 US10165001B2 (en) 2011-09-19 2015-09-21 Method and device for processing computer viruses

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110277746.3A CN102346827B (en) 2011-09-19 2011-09-19 Method and device for handling computer viruses

Related Child Applications (2)

Application Number Title Priority Date Filing Date
CN201410268598.2A Division CN104063663A (en) 2011-09-19 2011-09-19 Computer virus scan method
CN201410268281.9A Division CN104063662B (en) 2011-09-19 2011-09-19 Method and device for processing computer virus

Publications (2)

Publication Number Publication Date
CN102346827A true CN102346827A (en) 2012-02-08
CN102346827B CN102346827B (en) 2014-11-05

Family

ID=45545496

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110277746.3A Active CN102346827B (en) 2011-09-19 2011-09-19 Method and device for handling computer viruses

Country Status (1)

Country Link
CN (1) CN102346827B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102789562A (en) * 2012-07-19 2012-11-21 腾讯科技(深圳)有限公司 Method and device for determining viral file
WO2013041016A1 (en) * 2011-09-19 2013-03-28 北京奇虎科技有限公司 Method and device for processing computer viruses
CN103020524A (en) * 2012-12-11 2013-04-03 北京奇虎科技有限公司 Computer virus monitoring system
CN103049695A (en) * 2012-12-11 2013-04-17 北京奇虎科技有限公司 Computer virus monitoring method and device
CN103093145A (en) * 2013-01-18 2013-05-08 北京奇虎科技有限公司 Method and device and system for scanning mobile storage device
CN103559443A (en) * 2013-11-01 2014-02-05 北京奇虎科技有限公司 Virus scanning method and device for multi-core device
CN104063662A (en) * 2011-09-19 2014-09-24 北京奇虎科技有限公司 Method and device for processing computer virus
CN104317955A (en) * 2014-11-13 2015-01-28 北京奇虎科技有限公司 File scanning method and device for storage space of mobile terminal
CN108133154A (en) * 2017-12-25 2018-06-08 北京奇安信科技有限公司 A kind of method and device stored to file

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1375775A (en) * 2001-03-16 2002-10-23 联想(北京)有限公司 Geteway level computer network virus preventing method and device
CN101651678A (en) * 2009-09-11 2010-02-17 北京锐安科技有限公司 Method and system for dynamically merging files and respectively executing merged PE files in network
CN101685486A (en) * 2008-09-23 2010-03-31 联想(北京)有限公司 Virus killing method and virus killing system with multiple antivirus engines

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1375775A (en) * 2001-03-16 2002-10-23 联想(北京)有限公司 Geteway level computer network virus preventing method and device
CN101685486A (en) * 2008-09-23 2010-03-31 联想(北京)有限公司 Virus killing method and virus killing system with multiple antivirus engines
CN101651678A (en) * 2009-09-11 2010-02-17 北京锐安科技有限公司 Method and system for dynamically merging files and respectively executing merged PE files in network

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013041016A1 (en) * 2011-09-19 2013-03-28 北京奇虎科技有限公司 Method and device for processing computer viruses
US10165001B2 (en) 2011-09-19 2018-12-25 Beijing Qihoo Technology Company Limited Method and device for processing computer viruses
CN104063662A (en) * 2011-09-19 2014-09-24 北京奇虎科技有限公司 Method and device for processing computer virus
CN102789562A (en) * 2012-07-19 2012-11-21 腾讯科技(深圳)有限公司 Method and device for determining viral file
WO2014012494A1 (en) * 2012-07-19 2014-01-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining virus-infected files
CN102789562B (en) * 2012-07-19 2014-11-12 腾讯科技(深圳)有限公司 Method and device for determining viral file
US9268939B2 (en) 2012-07-19 2016-02-23 Tencent Technology (Shenzhen) Company Limited Method and apparatus for determining virus-infected files
CN103049695B (en) * 2012-12-11 2015-12-09 北京奇虎科技有限公司 A kind of method for supervising of computer virus and device
CN103020524A (en) * 2012-12-11 2013-04-03 北京奇虎科技有限公司 Computer virus monitoring system
CN103049695A (en) * 2012-12-11 2013-04-17 北京奇虎科技有限公司 Computer virus monitoring method and device
CN103020524B (en) * 2012-12-11 2015-08-05 北京奇虎科技有限公司 Computer virus supervisory system
CN103093145A (en) * 2013-01-18 2013-05-08 北京奇虎科技有限公司 Method and device and system for scanning mobile storage device
CN103093145B (en) * 2013-01-18 2016-01-13 北京奇虎科技有限公司 A kind of methods, devices and systems scanning movable storage device
CN103559443B (en) * 2013-11-01 2017-07-14 北京奇虎科技有限公司 The virus scan method and apparatus of device for multi-core
CN103559443A (en) * 2013-11-01 2014-02-05 北京奇虎科技有限公司 Virus scanning method and device for multi-core device
CN104317955A (en) * 2014-11-13 2015-01-28 北京奇虎科技有限公司 File scanning method and device for storage space of mobile terminal
CN104317955B (en) * 2014-11-13 2017-10-13 北京奇虎科技有限公司 File scanning method and device in a kind of mobile terminal memory space
CN108133154A (en) * 2017-12-25 2018-06-08 北京奇安信科技有限公司 A kind of method and device stored to file

Also Published As

Publication number Publication date
CN102346827B (en) 2014-11-05

Similar Documents

Publication Publication Date Title
CN102346827B (en) Method and device for handling computer viruses
CN102279917B (en) Multi-antivirus engine parallel antivirus method and system
US20200177552A1 (en) Methods and apparatus for malware threat research
Homayoun et al. A blockchain-based framework for detecting malicious mobile applications in app stores
Crussell et al. Scalable semantics-based detection of similar android applications
CN103559443B (en) The virus scan method and apparatus of device for multi-core
CN102194072B (en) Method, device and system used for handling computer virus
CN110717183B (en) Virus checking and killing method, device, equipment and storage medium
CN101414327B (en) Method for file protection
CN105844146B (en) Method and device for protecting driver and electronic equipment
US20230306114A1 (en) Method and system for automatically generating malware signature
Jafari et al. Designing a comprehensive security framework for smartphones and mobile devices
CN103384240A (en) P2P active defense method and system
CN113411314B (en) Method and device for attracting attacker to access honeypot system and electronic device
CN102314571B (en) Method and device for processing computer viruses
CN105095758A (en) Processing method and device for lock-screen application program and mobile terminal
CN106682493B (en) A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment
CN107479874B (en) DLL injection method and system based on Windows platform
CN103473350B (en) Document handling method and equipment
CN103679024B (en) Virus treating method and device
CN104063662A (en) Method and device for processing computer virus
CN102799812B (en) Method and device for processing application program
CN104063663A (en) Computer virus scan method
CN115426190B (en) Intelligent contract active defense method, storage medium and electronic equipment
CN104778406A (en) Method for uniformly naming malicious codes based on file fingerprint and system thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB03 Change of inventor or designer information

Inventor after: Zhou Hongdai

Inventor after: Fu Fu

Inventor after: Zou Guiqiang

Inventor before: Fu Fu

Inventor before: Zou Guiqiang

COR Change of bibliographic data

Free format text: CORRECT: INVENTOR; FROM: FU MIN ZOU GUIQIANG TO: ZHOU HONGYI FU MIN ZOU GUIQIANG

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20211202

Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, high tech Zone, Binhai New Area, Tianjin

Patentee after: 3600 Technology Group Co.,Ltd.

Address before: The 4 layer 100025 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C

Patentee before: Qizhi software (Beijing) Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230711

Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: Beijing Hongxiang Technical Service Co.,Ltd.

Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, high tech Zone, Binhai New Area, Tianjin

Patentee before: 3600 Technology Group Co.,Ltd.

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: Beijing 360 Zhiling Technology Co.,Ltd.

Country or region after: China

Address before: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee before: Beijing Hongxiang Technical Service Co.,Ltd.

Country or region before: China