CN102945348B - Fileinfo collection method and device - Google Patents
Fileinfo collection method and device Download PDFInfo
- Publication number
- CN102945348B CN102945348B CN201210401574.0A CN201210401574A CN102945348B CN 102945348 B CN102945348 B CN 102945348B CN 201210401574 A CN201210401574 A CN 201210401574A CN 102945348 B CN102945348 B CN 102945348B
- Authority
- CN
- China
- Prior art keywords
- file
- terminal
- unknown
- detected
- fileinfo
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 241000700605 Viruses Species 0.000 claims abstract description 72
- 238000004422 calculation algorithm Methods 0.000 claims description 18
- 238000005538 encapsulation Methods 0.000 claims description 10
- 238000004519 manufacturing process Methods 0.000 claims description 9
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 6
- 230000013011 mating Effects 0.000 abstract description 4
- 230000002155 anti-virotic effect Effects 0.000 description 28
- 230000008569 process Effects 0.000 description 8
- 238000001514 detection method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 241000353621 Eilat virus Species 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000000840 anti-viral effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001035 drying Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009885 systemic effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
This application provides fileinfo collection method and the device of a kind of unknown file, wherein, the fileinfo collection method of unknown file includes: enterprise intranet control server obtains the file characteristic of file to be detected from terminal, wherein, file to be detected newly increases in being terminal file and/or the file being modified;Control server and judge whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;If not mating, then control server and determine that file to be detected is unknown file;Control server returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of unknown file;Control the fileinfo of the described unknown file that server receives and collection terminal is uploaded.Improve the safety of system by the application, and unknown file detects and treatment effeciency.
Description
Technical field
The application relates to field of computer technology, particularly relates to fileinfo collection method and the device of a kind of unknown file.
Background technology
Antivirus software, also referred to as anti-viral software or antivirus software, be the class software for eliminating computer virus, Trojan Horse and Malware.Antivirus software is generally integrated monitoring identification, virus scan and the function such as removing and automatic upgrading, some antivirus softwares are also with functions such as data recoveries, it is that computer system of defense (comprises antivirus software, fire wall, the killing program of Trojan Horse and other Malwares, intrusion prevention system etc.) important component part.
At present, when using antivirus software to carry out systemic defence and checking and killing virus, on the one hand, antivirus software mates according to the virus characteristic in the anti-virus signature database self stored treats killing file, if coupling is consistent, then it is assumed that treats that killing file is virus document, carries out checking and killing virus process;If mating inconsistent, then it is assumed that treat that killing file is normal file, let pass;On the other hand, above-mentioned killing process is only local carried out.
But, for the unknown file that some is suspicious, because it is not belonging to the virus document in existing antivirus software virus base, virus base does not have corresponding virus characteristic, existing antivirus software is let pass, thus suspicious unknown file cannot effectively be detected by existing antivirus software, it is impossible to carry out the defence of effective suspicious unknown file;And limitation is compared in this locality killing, it is impossible to use killing result to affect the checking and killing virus of other machine.
Summary of the invention
In view of unknown file cannot effectively be detected and defend by above-mentioned existing antivirus software, and the problem that the impact of killing result is limited, it is proposed that the present invention is to provide a kind of fileinfo collection method and device overcoming the problems referred to above or solving the problems referred to above at least in part.
According to one aspect of the present invention, it is provided that a kind of fileinfo collection method, including: enterprise intranet control server obtains the file characteristic of file to be detected from terminal, and wherein, file to be detected is the file newly increased in terminal and/or the file being modified;Control server and judge whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;If the file characteristic of file to be detected does not mates with the file characteristic of the file characteristic of normal executable file and described virus document, then control server and determine that file to be detected is unknown file;Control server returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of unknown file;Control the fileinfo of the unknown file that server receives and collection terminal is uploaded.
Alternatively, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;Before the step of the file characteristic obtaining file to be detected in enterprise intranet control server from terminal, also include: control server and obtain file content and the file content of virus document of normal executable file;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Alternatively, the step controlling the file characteristic that server obtains file to be detected from terminal includes: controls server and receives the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Alternatively, the step of the fileinfo controlling the unknown file that server receives and collection terminal is uploaded includes: control the fileinfo of the unknown file that server receives and collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Alternatively, after controlling the step of fileinfo of the unknown file that server receives and collection terminal is uploaded, also include: control server and the fileinfo of unknown file is analyzed, determine whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Alternatively, the step controlling the fileinfo of unknown file that server receives and collection terminal is uploaded includes: control the MD5 value of the unknown file that server receives and collection terminal is uploaded, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Alternatively, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
According to a further aspect in the invention, provide a kind of fileinfo collection device, it is arranged at the control server end of corporate intranet, this document information collection apparatus includes: acquisition module, for obtaining the file characteristic of file to be detected from the terminal of corporate intranet, wherein, file to be detected newly increases in being terminal file and/or the file being modified;Judge module, for judging whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;Determine module, if judging that the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document for judge module, it is determined that file to be detected is unknown file;Collection module, is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;Receive the fileinfo of the also unknown file that collection terminal is uploaded.
Alternatively, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;This document information collection apparatus also includes: preserve module, was used at acquisition module before the terminal of corporate intranet obtains the file characteristic of file to be detected, obtains the file content of normal executable file and the file content of virus document;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Alternatively, acquisition module, for obtaining, from the terminal of corporate intranet, the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Alternatively, collection module, it is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;And, receive the fileinfo of the also unknown file that collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Alternatively, also include: analyze module, after the fileinfo in the unknown file that collection module receives and collection terminal is uploaded, the fileinfo of unknown file is analyzed, determines whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Alternatively, the fileinfo of unknown file that collection module is collected includes: the MD5 value of unknown file, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Alternatively, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
Fileinfo collection scheme according to the present invention, corporate intranet control server end in addition to the file characteristic (i.e. virus characteristic) preserving virus document, preserve the file characteristic of normal executable file the most simultaneously, by these file characteristics, when the terminal of corporate intranet has newly increased file or has been modified file, these files to be detected of terminal can be detected, when the file characteristic of the file to be detected of terminal to report does not mates with these file characteristics controlling to preserve in server, the file to be detected that terminal is then described is unknown file, now, notify terminal and require the fileinfo of terminal to report file to be detected, control the fileinfo of the server this unknown file of content collecting by terminal to report, to carry out identification and the judgement of other terminal unknown file follow-up.Unknown file is likely to be normal file, but it is more likely that system to be had the file (such as the virus document etc. of deformation) of harm, if unknown file information is not collected according to existing scheme and then carried out unknown file control, then may cause the consequence of harm system and user;And by the solution of the present invention, by the collection of the fileinfo to unknown file, it will be appreciated that unknown file situation, and then judge the character of unknown file, management in time and defence, can be greatly improved the safety of all terminals in whole system, reduces system safety hazards;And, control server end and can use the fileinfo of this unknown file collected, the file to be detected of other terminal follow-up is detected and judges, the unknown file of one terminal is affected and expands whole system to, further increase the safety of system, and unknown file detects and treatment effeciency.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the detailed description of the invention of the present invention.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention;
Fig. 2 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention two;
Fig. 3 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention three;
Fig. 4 is the structured flowchart of a kind of fileinfo collection device of according to embodiments of the present invention four.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiment one
With reference to Fig. 1, it is shown that the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S102: the server that controls of corporate intranet obtains the file characteristic of file to be detected from the terminal of corporate intranet.
Wherein, file to be detected newly increases in being terminal file and/or the file being modified.
The file newly increased in terminal is probably the file that only the machine is newly-increased, and may be likely to the new file all not having in other terminal in corporate intranet;It is also likely to be the new file for whole corporate intranet, i.e. the most non-existent current new file in all terminals that terminal is confirmed, corporate intranet by corporate intranet.Equally, the file being modified is probably amended file and is only limitted to the file of the machine, and may be likely to this amended file all not having in other terminal in corporate intranet;It is also likely to be the file being modified for whole corporate intranet, i.e. the most non-existent current amended file in all terminals that terminal is confirmed, corporate intranet by corporate intranet.Can determine whether other terminal exists corresponding file alternately by information between terminal.So, for whole corporate intranet, greatly reduce file data to be detected and because the information interaction amount of detection generation, improve detection efficiency.
When terminal has newly increased file or carried out file modification, the file characteristic of this file newly increasing file or amendment is reported control server by terminal automatically, triggers the file characteristic controlling the file to be detected that server obtains terminal.Such as, when terminal there being certain file be modified, then trigger and control server and obtain this document and carry out the fileinfo of follow-up unknown file detection and collect;Or, when being replicated file by third party device such as USB flash disk to terminal, then trigger and control server and obtain this document and carry out the fileinfo of follow-up unknown file detection and collect;Or, when initial terminal carries out system installation, trigger and control the server all file characteristics installing the file into terminal of acquisition, and carry out the fileinfo collection of follow-up unknown file detection.But being not limited to this, in actual applications, those skilled in the art may also set up suitable rule, when satisfied setting regular, by terminal to report or the file characteristic of server active obtaining file to be detected.
File characteristic is the characteristic information of file, can reflect that a file is different from the feature of other file, can be as unique mark of file, as, ProductName belonging to the MD5 value that calculated by fileinfo, the digital signature of file, the version number of file, file, the Production Version belonging to file, the exabyte belonging to file, company's copyright information, the most whole file etc..
Step S104: control server and judge whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server.
Control storage simultaneously in the file feature data storehouse of server and have the file characteristic of normal executable file and the file characteristic (i.e. virus characteristic) of virus document, the above-mentioned file characteristic of storage can be by being analyzed extraction to the heap file data collected, it is also possible to collects storage by other appropriate ways.
Step S106: if the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document, then control server and determine that file to be detected is unknown file.
Step S108: control server returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of unknown file.
Step S110: control the fileinfo of the unknown file that server receives and collection terminal is uploaded.
Pass through the present embodiment, controlling server end in addition to the file characteristic (i.e. virus characteristic) preserving virus document, preserve the file characteristic of normal executable file the most simultaneously, , when the terminal of corporate intranet has newly increased file or has been modified file, these files to be detected of terminal can be detected by these file characteristics, when the file characteristic of the file to be detected of terminal to report does not mates with these file characteristics controlling to preserve in server, the file to be detected that terminal is then described is unknown file, now, notify terminal and require the fileinfo of terminal to report file to be detected, control the fileinfo of the server this unknown file of content collecting by terminal to report, to carry out identification and the judgement of other terminal unknown file follow-up.Unknown file is likely to be normal file, but it is more likely that system to be had the file (such as the virus document etc. of deformation) of harm, if unknown file information is not collected according to existing scheme and then carried out unknown file control, then may cause the consequence of harm system and user;And by the scheme of the present embodiment, by the collection of the fileinfo to unknown file, it will be appreciated that unknown file situation, and then judge the character of unknown file, management in time and defence, can be greatly improved the safety of all terminals in whole system, reduces system safety hazards;And, control server end and can use the fileinfo of this unknown file collected, the file to be detected of other terminal follow-up is detected and judges, the unknown file of one terminal is affected and expands whole system to, further increase the safety of system, and unknown file detects and treatment effeciency.
It should be noted that the fileinfo collection scheme of the present invention is in addition to being applicable to corporate intranet scene, it is possible to be applicable to unit scene.The fileinfo collection scheme of the present invention is illustrated by embodiment one from corporate intranet scene, and the present invention is explained by Examples below two from unit scene.
Embodiment two
With reference to Fig. 2, it is shown that the flow chart of steps of a kind of fileinfo collection method of two according to embodiments of the present invention.
The fileinfo collection method of the present invention, as a example by the local antivirus software of unit, is explained by the present embodiment.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S202: the local antivirus software of corporate intranet terminal obtains file characteristic and the file characteristic of virus document of normal executable file, and preserves to the file feature data storehouse of local antivirus software.
Corporate intranet terminal can obtain file characteristic and the file characteristic of virus document of normal executable file from the server end that controls of corporate intranet, it is also possible to is self-contained file characteristic, it is also possible to is that file is collected generation file characteristic after analysis.
In the present embodiment, the file characteristic of normal executable file and the file characteristic of virus document are all the forms of MD5 value, and MD5 value information amount is little, it is simple to compare identification, and collision rate is low, it is possible to effectively distinguish each file characteristic.Certainly, other suitable file characteristic form is equally applicable, such as the value of calculation drawn by SHAs such as Sha1.
Step S204: local antivirus software obtains the file characteristic of file to be detected.
When corporate intranet terminal has newly increased file and/or has carried out file modification, this step will be triggered.File to be detected in the present embodiment is the file newly increased in terminal and/or the file being modified.
In the present embodiment, the file characteristic of file to be detected is consistent with the form of the file characteristic of the normal executable file of storage and the file characteristic of virus document, is the form of MD5 value.
It should be noted that when generating MD5 value, the generation parameter of MD5 suitably can be chosen by those skilled in the art, such as filename, file size, feature vocabulary, file content etc..In the present embodiment, the MD5 value of file the most to be detected, or the normal MD5 value of executable file and the MD5 value of virus document are all that file content uses acquisition after MD5 algorithm.MD5 algorithm is used to obtain MD5 value file content, it is possible to more effectively to represent the file characteristic of file.Additionally, the generating algorithm of file characteristic is also not necessarily limited to MD5 algorithm, it is also possible to for other appropriate algorithm, such as SHAs such as Sha1.
Step S206: local antivirus software judges whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in file feature data storehouse, if coupling, performs step S208;If not mating, perform step S210.
That is, judge that the MD5 value of file to be detected is the most consistent with the MD5 value of the MD5 value of normal executable file or virus document.
Step S208: according to matching result, determines that file to be detected is normal executable file or is virus document, if normal executable file, then lets pass;If virus document, then carry out checking and killing virus process, terminate this flow process.
Step S210: local antivirus software determines that file to be detected is unknown file, collects the fileinfo of this unknown file.
As, collect the MD5 value of this unknown file, and at least one following information: the company's copyright information etc. belonging to ProductName belonging to the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file.
Step S212: the fileinfo of this unknown file is analyzed by local antivirus software, determines whether this unknown file is secure file;If it is determined that this unknown file is not secure file, then record the MD5 value of this unknown file, forbid that this unknown file is run;If it is determined that this unknown file is secure file, then let pass.
Pass through the present embodiment, it is achieved that local antivirus software, to the detection of unknown file and defence, reduces the security risk of local system.
Embodiment three
With reference to Fig. 3, it is shown that the flow chart of steps of a kind of fileinfo collection method of three according to embodiments of the present invention.
The present embodiment is still the fileinfo collection scheme under corporate intranet scene, and the fileinfo collection method of the present invention, as a example by the control server end antivirus software of corporate intranet, is explained by the present embodiment.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S302: the server that controls of corporate intranet obtains file content and the file content of virus document of normal executable file.
Step S304: control server and respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document.
Step S306: control server and the MD5 value of normal executable file and the MD5 value of virus document are preserved to the file feature data storehouse of the antivirus software controlling server, respectively as file characteristic and the file characteristic of virus document of normal executable file.
Step S308: the terminal of corporate intranet finds file to be detected, it is thus achieved that the file content of file to be detected, uses MD5 algorithm to the file content of file to be detected, obtains the MD5 value of file to be detected.
Wherein, file to be detected newly increases in being terminal file and/or the file being modified.
Step S310: terminal uses http protocol that the MD5 value of file to be detected is packaged into message, sends to controlling server.
As, terminal transmit a request to the MD5 value of file to be detected to control server as the content of POST with http protocol.
Step S312: control server and receive the message that terminal uses http protocol to encapsulate, obtain the MD5 value of file to be detected from message.
Step S314: control server and judge whether the MD5 value of file to be detected mates with the MD5 value of normal executable file and the MD5 value of virus document of storage in file feature data storehouse, if coupling, then perform step S316;If not mating, then perform step S318.
Step S316: control server, according to matching result, determines that file to be detected is normal executable file or is virus document, and returning file to be detected to terminal is normal executable file or the message for virus document, terminates this flow process.
Terminal, after receiving the message controlling server return, can carry out follow-up process according to message content, as killing is viral or performs file to be detected etc..
Step S318: control server and determine that file to be detected is unknown file, returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of this unknown file.
Step S320: terminal uses http protocol to encapsulate the fileinfo of this unknown file, and is directly uploaded to by terminal backstage control server.
As, terminal uploads the MD5 value of this unknown file, and at least one following information: the company's copyright information etc. belonging to ProductName belonging to the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file.
In the present embodiment, terminal is the MD5 value of unknown file, and file digital signature, filename, fileversion number, ProductName, Production Version, company's copyright(copyright information), the content as POST sends control server with http protocol.
Step S322: control server and receive the fileinfo of the unknown file that terminal is directly uploaded by terminal backstage and preserve, returns to terminal and uploads success message.
Step S324: control server and the fileinfo of this unknown file is analyzed, determine whether this unknown file is secure file;If it is determined that be secure file, then notice terminal is let pass this unknown file;If it is determined that be not secure file, then recording the MD5 value of this unknown file, notice terminal forbids that this unknown file is run.
Such as, terminal place computer, under the subjective consciousness of user, inserts USB flash disk, replicates a file to the terminal of Intranet.At this time, terminal will mail to control server file characteristic inquires about, control to issue upload notifications to terminal when server judgement is unknown file, so terminal just mails to the fileinfo of this document to control server, control server and will record the fileinfo of this document, in order to make reference to manager.As, it is achieved the function of 360 privately owned clouds.360 privately owned clouds need to build private database, and private database is for controlling clearance and the disabling of all Intranet files, by being analyzed fileinfo, it may be determined that be to let pass or this forbids this document.
Pass through the present embodiment, achieve antivirus software terminal based on corporate intranet and control the C/S framework of server, terminal does the inquiry of file by http protocol, control server and pass through Query Result, unknown file is done upload notifications, and terminal sends the fileinfo of unknown file by next HTTP request.The scheme of the present embodiment can utilize antivirus software terminal at corporate intranet, the file characteristic (the such as MD5 value of file) of the file monitored, it is sent to control server authentication, it is not to be normal file when controlling server authentication result, when being not virus, this document is i.e. unknown file, controls server and i.e. notifies that antivirus software terminal is presented a paper information, and the fileinfo of submission will be saved on control server.Control server can control all terminals and upload file in need, also has the ability to notify terminal actively background scanning All Files, and unknown file Submission control server.Comparing traditional forms of enterprises's level any unknown file of antivirus software not management and control, intranet security risk and evidence obtaining will be relatively easy.
Embodiment four
With reference to Fig. 4, it is shown that the structured flowchart of a kind of fileinfo collection device of four according to embodiments of the present invention.
The fileinfo collection device of the present embodiment is arranged at the control server end of corporate intranet, this device includes: acquisition module 402, for obtaining the file characteristic of file to be detected from the terminal of corporate intranet, wherein, file to be detected newly increases in being terminal file and/or the file being modified;Judge module 404, for judging whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;Determine module 406, if judging that the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document for judge module 404, it is determined that file to be detected is unknown file;Collection module 408, is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;Receive the fileinfo of the also unknown file that collection terminal is uploaded.
Preferably, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;The fileinfo collection device of the present embodiment also includes: preserve module 410, was used at acquisition module 402 before terminal obtains the file characteristic of file to be detected, obtains the file content of normal executable file and the file content of virus document;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Preferably, acquisition module 402, for obtaining, from the terminal of corporate intranet, the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Preferably, collection module 408, it is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;And, receive the fileinfo of the also unknown file that collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Preferably, the fileinfo collection device of the present embodiment also includes: analyze module 412, for after collection module 408 collects the fileinfo of unknown file, is analyzed the fileinfo of unknown file, determines whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Preferably, the fileinfo of unknown file that collection module 408 is collected includes the MD5 value of unknown file, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Preferably, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
The fileinfo collection device of the present embodiment is for realizing the corresponding fileinfo collection method controlling server end in aforesaid plurality of embodiment of the method, and has the beneficial effect of corresponding embodiment of the method, does not repeats them here.
The fileinfo collection scheme of the unknown file that the present invention provides efficiently solves the problem that unknown file cannot effectively be detected and defend by existing antivirus software, it is achieved that the detection of unknown file and defence.In addition, control server mechanism of all of unknown file in distributed antivirus software terminal uploads enterprise, more other application based on this function can be realized, such as the transmission evidence obtaining of file, automatic identifying system to unknown file, based on the unknown file quantitative proportion in net and the safety estimation system of unknown file quantity in computer etc..
Algorithm is not intrinsic to any certain computer, virtual system or miscellaneous equipment relevant provided herein.Various general-purpose systems can also be used together with based on teaching in this.As described above, construct the structure required by the system with the present invention program to be apparent from.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and the description done language-specific above is the preferred forms in order to disclose the present invention.
In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice in the case of not having these details.In some instances, it is not shown specifically known method, structure and technology, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to simplify that the disclosure helping understands in each inventive aspect, above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes.But, the method for the disclosure should not being construed to reflect an intention that, i.e. the present invention for required protection requires than the more feature of feature being expressly recited in each claim.More precisely, as the following claims reflect, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, the most each claim itself is as the independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.In addition at least some in such feature and/or process or unit excludes each other, can use any combination that all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or all processes of equipment or unit are combined.Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing identical, equivalent or similar purpose.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and formed different embodiments.Such as, in detail in the claims, one of arbitrarily can mode the using in any combination of embodiment required for protection.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with combinations thereof.It will be understood by those of skill in the art that the some or all functions of some or all parts in the fileinfo collection scheme of the unknown file that microprocessor or digital signal processor (DSP) can be used in practice to realize according to embodiments of the present invention.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can be to have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not excludes the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.If in the unit claim listing equipment for drying, several in these devices can be specifically to be embodied by same hardware branch.Word first, second and third use do not indicate that any order.Can be title by these word explanations.
Claims (12)
1. a fileinfo collection method, it is characterised in that including:
When the most non-existent current new file in all terminals newly increasing the described corporate intranet confirmed by corporate intranet in terminal, and/or when the file in terminal is modified, and, described corporate intranet confirm amended file in all terminals of described corporate intranet current the most not in the presence of, enterprise intranet control server obtains the file characteristic of file to be detected from terminal, wherein, described file to be detected includes: the most non-existent current file in all terminals of that newly increase in terminal/modify, that confirmed by corporate intranet, corporate intranet;Determine whether other terminal exists corresponding file alternately by information between terminal;
Described control server judges whether the file characteristic of described file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse in described control server;
If the file characteristic of described file to be detected does not mates with the file characteristic of described normal executable file and the file characteristic of described virus document, the most described control server determines that described file to be detected is unknown file;
It is the message of unknown file that described control server returns described file to be detected to described terminal, and notifies that described terminal uploads the fileinfo of described unknown file;
Described control server receives and collects the fileinfo of the described unknown file that described terminal is uploaded.
Method the most according to claim 1, it is characterised in that the file characteristic of described file to be detected is the MD5 value after the file content to described file to be detected uses MD5 algorithm;
Before the step of the file characteristic obtaining file to be detected in described enterprise intranet control server from terminal, also include: described control server obtains file content and the file content of described virus document of described normal executable file;Respectively the file content of described normal executable file and the file content of described virus document are used MD5 algorithm, obtain the MD5 value of described normal executable file and the MD5 value of described virus document;The MD5 value of described normal executable file is saved as the file characteristic of described normal executable file, the MD5 value of described virus document is saved as the file characteristic of described virus document.
Method the most according to claim 2, it is characterised in that described control server includes from the step of the file characteristic that terminal obtains file to be detected:
Described control server receives the MD5 value that described terminal uses the file described to be detected of http protocol encapsulation.
Method the most according to claim 3, it is characterised in that the step of the fileinfo that described control server received and collected the described unknown file that described terminal is uploaded includes:
Described control server receives and collects the fileinfo of the described unknown file that described terminal is directly uploaded by terminal backstage, and wherein, the fileinfo of described unknown file uses http protocol encapsulation.
Method the most according to claim 2, it is characterised in that after the step of the fileinfo receiving and collecting the described unknown file that described terminal is uploaded at described control server, also include:
The fileinfo of described unknown file is analyzed by described control server, determines whether described unknown file is secure file;
If it is determined that described unknown file is not secure file, then record the MD5 value of described unknown file, forbid that described unknown file is run.
Method the most according to claim 2, it is characterised in that the step of the fileinfo that described control server received and collected the described unknown file that described terminal is uploaded includes:
Control server and receive and collect the MD5 value of the described unknown file that described terminal is uploaded, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of described unknown file, fileversion number, filename, described unknown file, Production Version, described unknown file.
7. a fileinfo collection device, it is characterised in that be arranged at the control server end of corporate intranet, described device includes:
Acquisition module, in all terminals newly increasing the described corporate intranet confirmed by corporate intranet in the terminal during the most non-existent current new file, and/or when the file in terminal is modified, and, described corporate intranet confirm amended file in all terminals of described corporate intranet current the most not in the presence of, the file characteristic of file to be detected is obtained from the terminal of described corporate intranet, wherein, described file to be detected includes: newly increases in terminal/modifies, confirmed by corporate intranet, the most non-existent current file in all terminals of corporate intranet;Determine whether other terminal exists corresponding file alternately by information between terminal;
Judge module, for judging whether the file characteristic of described file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse in described control server;
Determine module, if judging that the file characteristic of described file to be detected does not mates with the file characteristic of described normal executable file and the file characteristic of described virus document for described judge module, it is determined that described file to be detected is unknown file;
Collection module, is the message of unknown file for returning described file to be detected to described terminal, and notifies that described terminal uploads the fileinfo of described unknown file;Receive and collect the fileinfo of the described unknown file that described terminal is uploaded.
Device the most according to claim 7, it is characterised in that the file characteristic of described file to be detected is the MD5 value after the file content to described file to be detected uses MD5 algorithm;
Described device also includes: preserve module, was used at described acquisition module before the terminal of described corporate intranet obtains the file characteristic of described file to be detected, obtains file content and the file content of described virus document of described normal executable file;Respectively the file content of described normal executable file and the file content of described virus document are used MD5 algorithm, obtain the MD5 value of described normal executable file and the MD5 value of described virus document;The MD5 value of described normal executable file is saved as the file characteristic of described normal executable file, the MD5 value of described virus document is saved as the file characteristic of described virus document.
Device the most according to claim 8, it is characterised in that
Described acquisition module, for obtaining, from the terminal of described corporate intranet, the MD5 value that described terminal uses the file described to be detected of http protocol encapsulation.
Device the most according to claim 9, it is characterised in that described collection module, is the message of unknown file for returning described file to be detected to described terminal, and notifies that described terminal uploads the fileinfo of described unknown file;And, receive and collect the fileinfo of the described unknown file that described terminal is directly uploaded by terminal backstage, wherein, the fileinfo of described unknown file uses http protocol encapsulation.
11. devices according to claim 8, it is characterised in that also include:
Analyze module, for after described collection module receives and collect the fileinfo of the described unknown file that described terminal is uploaded, the fileinfo of described unknown file is analyzed, determines whether described unknown file is secure file;If it is determined that described unknown file is not secure file, then record the MD5 value of described unknown file, forbid that described unknown file is run.
12. devices according to claim 8, it is characterized in that, the fileinfo of described unknown file that described collection module is collected includes: the MD5 value of described unknown file, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of described unknown file, fileversion number, filename, described unknown file, Production Version, described unknown file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210401574.0A CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210401574.0A CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102945348A CN102945348A (en) | 2013-02-27 |
| CN102945348B true CN102945348B (en) | 2016-08-03 |
Family
ID=47728289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210401574.0A Active CN102945348B (en) | 2012-10-19 | 2012-10-19 | Fileinfo collection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102945348B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104281806A (en) * | 2013-07-01 | 2015-01-14 | 宁夏新航信息科技有限公司 | Automatic computer virus detection system |
| CN103607433B (en) * | 2013-11-01 | 2018-05-04 | 北京奇安信科技有限公司 | A kind of method and device in terminal deployment file in batches |
| CN103607438B (en) * | 2013-11-08 | 2017-06-27 | 北京奇安信科技有限公司 | A kind of control method and device of terminal disposition |
| CN107689975B (en) * | 2016-08-05 | 2020-07-31 | 腾讯科技(深圳)有限公司 | Cloud computing-based computer virus identification method and system |
| CN107145780B (en) * | 2017-03-31 | 2021-07-27 | 腾讯科技(深圳)有限公司 | Malicious software detection method and device |
| CN107730066A (en) * | 2017-08-25 | 2018-02-23 | 北京元心科技有限公司 | Cruising inspection system task cooperation processing method and processing device |
| CN109726555B (en) * | 2017-10-30 | 2023-03-10 | 腾讯科技(深圳)有限公司 | Virus detection processing method, virus prompting method and related equipment |
| CN110765493B (en) * | 2018-12-28 | 2021-05-25 | 北京安天网络安全技术有限公司 | File baseline defense method and device based on Linux pre-link and storage equipment |
| CN110084041A (en) * | 2019-04-29 | 2019-08-02 | 深信服科技股份有限公司 | Querying method, device, client, management end and the storage medium of virus document |
| CN110688658B (en) * | 2019-10-09 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Unknown virus infection tracing method, device and system |
| CN111159708B (en) * | 2019-12-02 | 2022-08-19 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
| CN113055412B (en) * | 2019-12-26 | 2023-04-25 | 奇安信科技集团股份有限公司 | Sample collection method, apparatus, system, computer device, and readable storage medium |
| CN113360904A (en) * | 2021-05-17 | 2021-09-07 | 杭州美创科技有限公司 | Unknown virus detection method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6963978B1 (en) * | 2001-07-26 | 2005-11-08 | Mcafee, Inc. | Distributed system and method for conducting a comprehensive search for malicious code in software |
| CN101039177A (en) * | 2007-04-27 | 2007-09-19 | 珠海金山软件股份有限公司 | Apparatus and method for on-line searching virus |
| CN101304426A (en) * | 2008-07-10 | 2008-11-12 | 腾讯科技(深圳)有限公司 | Method and device for recognizing and reporting questionable document |
| CN101827096B (en) * | 2010-04-09 | 2012-09-05 | 潘燕辉 | Cloud computing-based multi-user collaborative safety protection system and method |
| CN101908116B (en) * | 2010-08-05 | 2013-04-10 | 潘燕辉 | Computer safeguard system and method |
| CN102413142A (en) * | 2011-11-30 | 2012-04-11 | 华中科技大学 | Active defense method based on cloud platform |
-
2012
- 2012-10-19 CN CN201210401574.0A patent/CN102945348B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN102945348A (en) | 2013-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102945348B (en) | Fileinfo collection method and device | |
| CN102945349B (en) | unknown file processing method and device | |
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| US10148689B2 (en) | Method and apparatus for monitoring malicious link injection into website source code | |
| EP2788912B1 (en) | Predictive heap overflow protection | |
| KR102210627B1 (en) | Method, apparatus and system for detecting malicious process behavior | |
| CN102663288B (en) | Virus killing method and device thereof | |
| EP2923295B1 (en) | Using telemetry to reduce malware definition package size | |
| CN103617395A (en) | Method, device and system for intercepting advertisement programs based on cloud security | |
| US20140201843A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
| WO2019089720A1 (en) | Malicious script detection | |
| CN102799811B (en) | Scanning method and device | |
| CN111651754B (en) | Intrusion detection method and device, storage medium and electronic device | |
| WO2017040957A1 (en) | Process launch, monitoring and execution control | |
| CN105791250B (en) | Application program detection method and device | |
| KR20170083494A (en) | Technique for Detecting Malicious Electronic Messages | |
| CN102984135B (en) | Safety defense method, equipment and system | |
| CN102984134A (en) | Safe defense system | |
| CN106899977B (en) | Abnormal flow detection method and device | |
| US9491193B2 (en) | System and method for antivirus protection | |
| CN106529290B (en) | Malicious software protection method and device and electronic equipment | |
| CN115544503A (en) | File-free attack detection method, device, equipment and storage medium | |
| CN103150512B (en) | Honeypot system and method for detecting trojan by using same | |
| CN114697049B (en) | WebShell detection method and device | |
| CN111641611A (en) | Data processing method, device and system and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20161208 Address after: 100015 Chaoyang District Road, Jiuxianqiao, No. 10, building No. 3, floor 15, floor 17, 1701-26, Patentee after: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. Address before: 100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Patentee before: Beijing Qihu Technology Co., Ltd. Patentee before: Qizhi Software (Beijing) Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee after: Qianxin Technology Group Co., Ltd. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QI'ANXIN SCIENCE & TECHNOLOGY CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |