Fileinfo collection method and device
Technical field
The application relates to field of computer technology, particularly relates to fileinfo collection method and the device of a kind of unknown file.
Background technology
Antivirus software, also referred to as anti-viral software or antivirus software, be the class software for eliminating computer virus, Trojan Horse and Malware.Antivirus software is generally integrated monitoring identification, virus scan and the function such as removing and automatic upgrading, some antivirus softwares are also with functions such as data recoveries, it is that computer system of defense (comprises antivirus software, fire wall, the killing program of Trojan Horse and other Malwares, intrusion prevention system etc.) important component part.
At present, when using antivirus software to carry out systemic defence and checking and killing virus, on the one hand, antivirus software mates according to the virus characteristic in the anti-virus signature database self stored treats killing file, if coupling is consistent, then it is assumed that treats that killing file is virus document, carries out checking and killing virus process;If mating inconsistent, then it is assumed that treat that killing file is normal file, let pass;On the other hand, above-mentioned killing process is only local carried out.
But, for the unknown file that some is suspicious, because it is not belonging to the virus document in existing antivirus software virus base, virus base does not have corresponding virus characteristic, existing antivirus software is let pass, thus suspicious unknown file cannot effectively be detected by existing antivirus software, it is impossible to carry out the defence of effective suspicious unknown file;And limitation is compared in this locality killing, it is impossible to use killing result to affect the checking and killing virus of other machine.
Summary of the invention
In view of unknown file cannot effectively be detected and defend by above-mentioned existing antivirus software, and the problem that the impact of killing result is limited, it is proposed that the present invention is to provide a kind of fileinfo collection method and device overcoming the problems referred to above or solving the problems referred to above at least in part.
According to one aspect of the present invention, it is provided that a kind of fileinfo collection method, including: enterprise intranet control server obtains the file characteristic of file to be detected from terminal, and wherein, file to be detected is the file newly increased in terminal and/or the file being modified;Control server and judge whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;If the file characteristic of file to be detected does not mates with the file characteristic of the file characteristic of normal executable file and described virus document, then control server and determine that file to be detected is unknown file;Control server returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of unknown file;Control the fileinfo of the unknown file that server receives and collection terminal is uploaded.
Alternatively, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;Before the step of the file characteristic obtaining file to be detected in enterprise intranet control server from terminal, also include: control server and obtain file content and the file content of virus document of normal executable file;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Alternatively, the step controlling the file characteristic that server obtains file to be detected from terminal includes: controls server and receives the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Alternatively, the step of the fileinfo controlling the unknown file that server receives and collection terminal is uploaded includes: control the fileinfo of the unknown file that server receives and collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Alternatively, after controlling the step of fileinfo of the unknown file that server receives and collection terminal is uploaded, also include: control server and the fileinfo of unknown file is analyzed, determine whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Alternatively, the step controlling the fileinfo of unknown file that server receives and collection terminal is uploaded includes: control the MD5 value of the unknown file that server receives and collection terminal is uploaded, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Alternatively, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
According to a further aspect in the invention, provide a kind of fileinfo collection device, it is arranged at the control server end of corporate intranet, this document information collection apparatus includes: acquisition module, for obtaining the file characteristic of file to be detected from the terminal of corporate intranet, wherein, file to be detected newly increases in being terminal file and/or the file being modified;Judge module, for judging whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;Determine module, if judging that the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document for judge module, it is determined that file to be detected is unknown file;Collection module, is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;Receive the fileinfo of the also unknown file that collection terminal is uploaded.
Alternatively, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;This document information collection apparatus also includes: preserve module, was used at acquisition module before the terminal of corporate intranet obtains the file characteristic of file to be detected, obtains the file content of normal executable file and the file content of virus document;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Alternatively, acquisition module, for obtaining, from the terminal of corporate intranet, the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Alternatively, collection module, it is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;And, receive the fileinfo of the also unknown file that collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Alternatively, also include: analyze module, after the fileinfo in the unknown file that collection module receives and collection terminal is uploaded, the fileinfo of unknown file is analyzed, determines whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Alternatively, the fileinfo of unknown file that collection module is collected includes: the MD5 value of unknown file, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Alternatively, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
Fileinfo collection scheme according to the present invention, corporate intranet control server end in addition to the file characteristic (i.e. virus characteristic) preserving virus document, preserve the file characteristic of normal executable file the most simultaneously, by these file characteristics, when the terminal of corporate intranet has newly increased file or has been modified file, these files to be detected of terminal can be detected, when the file characteristic of the file to be detected of terminal to report does not mates with these file characteristics controlling to preserve in server, the file to be detected that terminal is then described is unknown file, now, notify terminal and require the fileinfo of terminal to report file to be detected, control the fileinfo of the server this unknown file of content collecting by terminal to report, to carry out identification and the judgement of other terminal unknown file follow-up.Unknown file is likely to be normal file, but it is more likely that system to be had the file (such as the virus document etc. of deformation) of harm, if unknown file information is not collected according to existing scheme and then carried out unknown file control, then may cause the consequence of harm system and user;And by the solution of the present invention, by the collection of the fileinfo to unknown file, it will be appreciated that unknown file situation, and then judge the character of unknown file, management in time and defence, can be greatly improved the safety of all terminals in whole system, reduces system safety hazards;And, control server end and can use the fileinfo of this unknown file collected, the file to be detected of other terminal follow-up is detected and judges, the unknown file of one terminal is affected and expands whole system to, further increase the safety of system, and unknown file detects and treatment effeciency.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the detailed description of the invention of the present invention.
Accompanying drawing explanation
By reading the detailed description of hereafter preferred implementation, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention.And in whole accompanying drawing, it is denoted by the same reference numerals identical parts.In the accompanying drawings:
Fig. 1 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention;
Fig. 2 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention two;
Fig. 3 is the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention three;
Fig. 4 is the structured flowchart of a kind of fileinfo collection device of according to embodiments of the present invention four.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings.Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should not limited by embodiments set forth here.On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiment one
With reference to Fig. 1, it is shown that the flow chart of steps of a kind of fileinfo collection method of according to embodiments of the present invention.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S102: the server that controls of corporate intranet obtains the file characteristic of file to be detected from the terminal of corporate intranet.
Wherein, file to be detected newly increases in being terminal file and/or the file being modified.
The file newly increased in terminal is probably the file that only the machine is newly-increased, and may be likely to the new file all not having in other terminal in corporate intranet;It is also likely to be the new file for whole corporate intranet, i.e. the most non-existent current new file in all terminals that terminal is confirmed, corporate intranet by corporate intranet.Equally, the file being modified is probably amended file and is only limitted to the file of the machine, and may be likely to this amended file all not having in other terminal in corporate intranet;It is also likely to be the file being modified for whole corporate intranet, i.e. the most non-existent current amended file in all terminals that terminal is confirmed, corporate intranet by corporate intranet.Can determine whether other terminal exists corresponding file alternately by information between terminal.So, for whole corporate intranet, greatly reduce file data to be detected and because the information interaction amount of detection generation, improve detection efficiency.
When terminal has newly increased file or carried out file modification, the file characteristic of this file newly increasing file or amendment is reported control server by terminal automatically, triggers the file characteristic controlling the file to be detected that server obtains terminal.Such as, when terminal there being certain file be modified, then trigger and control server and obtain this document and carry out the fileinfo of follow-up unknown file detection and collect;Or, when being replicated file by third party device such as USB flash disk to terminal, then trigger and control server and obtain this document and carry out the fileinfo of follow-up unknown file detection and collect;Or, when initial terminal carries out system installation, trigger and control the server all file characteristics installing the file into terminal of acquisition, and carry out the fileinfo collection of follow-up unknown file detection.But being not limited to this, in actual applications, those skilled in the art may also set up suitable rule, when satisfied setting regular, by terminal to report or the file characteristic of server active obtaining file to be detected.
File characteristic is the characteristic information of file, can reflect that a file is different from the feature of other file, can be as unique mark of file, as, ProductName belonging to the MD5 value that calculated by fileinfo, the digital signature of file, the version number of file, file, the Production Version belonging to file, the exabyte belonging to file, company's copyright information, the most whole file etc..
Step S104: control server and judge whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server.
Control storage simultaneously in the file feature data storehouse of server and have the file characteristic of normal executable file and the file characteristic (i.e. virus characteristic) of virus document, the above-mentioned file characteristic of storage can be by being analyzed extraction to the heap file data collected, it is also possible to collects storage by other appropriate ways.
Step S106: if the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document, then control server and determine that file to be detected is unknown file.
Step S108: control server returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of unknown file.
Step S110: control the fileinfo of the unknown file that server receives and collection terminal is uploaded.
Pass through the present embodiment, controlling server end in addition to the file characteristic (i.e. virus characteristic) preserving virus document, preserve the file characteristic of normal executable file the most simultaneously, , when the terminal of corporate intranet has newly increased file or has been modified file, these files to be detected of terminal can be detected by these file characteristics, when the file characteristic of the file to be detected of terminal to report does not mates with these file characteristics controlling to preserve in server, the file to be detected that terminal is then described is unknown file, now, notify terminal and require the fileinfo of terminal to report file to be detected, control the fileinfo of the server this unknown file of content collecting by terminal to report, to carry out identification and the judgement of other terminal unknown file follow-up.Unknown file is likely to be normal file, but it is more likely that system to be had the file (such as the virus document etc. of deformation) of harm, if unknown file information is not collected according to existing scheme and then carried out unknown file control, then may cause the consequence of harm system and user;And by the scheme of the present embodiment, by the collection of the fileinfo to unknown file, it will be appreciated that unknown file situation, and then judge the character of unknown file, management in time and defence, can be greatly improved the safety of all terminals in whole system, reduces system safety hazards;And, control server end and can use the fileinfo of this unknown file collected, the file to be detected of other terminal follow-up is detected and judges, the unknown file of one terminal is affected and expands whole system to, further increase the safety of system, and unknown file detects and treatment effeciency.
It should be noted that the fileinfo collection scheme of the present invention is in addition to being applicable to corporate intranet scene, it is possible to be applicable to unit scene.The fileinfo collection scheme of the present invention is illustrated by embodiment one from corporate intranet scene, and the present invention is explained by Examples below two from unit scene.
Embodiment two
With reference to Fig. 2, it is shown that the flow chart of steps of a kind of fileinfo collection method of two according to embodiments of the present invention.
The fileinfo collection method of the present invention, as a example by the local antivirus software of unit, is explained by the present embodiment.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S202: the local antivirus software of corporate intranet terminal obtains file characteristic and the file characteristic of virus document of normal executable file, and preserves to the file feature data storehouse of local antivirus software.
Corporate intranet terminal can obtain file characteristic and the file characteristic of virus document of normal executable file from the server end that controls of corporate intranet, it is also possible to is self-contained file characteristic, it is also possible to is that file is collected generation file characteristic after analysis.
In the present embodiment, the file characteristic of normal executable file and the file characteristic of virus document are all the forms of MD5 value, and MD5 value information amount is little, it is simple to compare identification, and collision rate is low, it is possible to effectively distinguish each file characteristic.Certainly, other suitable file characteristic form is equally applicable, such as the value of calculation drawn by SHAs such as Sha1.
Step S204: local antivirus software obtains the file characteristic of file to be detected.
When corporate intranet terminal has newly increased file and/or has carried out file modification, this step will be triggered.File to be detected in the present embodiment is the file newly increased in terminal and/or the file being modified.
In the present embodiment, the file characteristic of file to be detected is consistent with the form of the file characteristic of the normal executable file of storage and the file characteristic of virus document, is the form of MD5 value.
It should be noted that when generating MD5 value, the generation parameter of MD5 suitably can be chosen by those skilled in the art, such as filename, file size, feature vocabulary, file content etc..In the present embodiment, the MD5 value of file the most to be detected, or the normal MD5 value of executable file and the MD5 value of virus document are all that file content uses acquisition after MD5 algorithm.MD5 algorithm is used to obtain MD5 value file content, it is possible to more effectively to represent the file characteristic of file.Additionally, the generating algorithm of file characteristic is also not necessarily limited to MD5 algorithm, it is also possible to for other appropriate algorithm, such as SHAs such as Sha1.
Step S206: local antivirus software judges whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in file feature data storehouse, if coupling, performs step S208;If not mating, perform step S210.
That is, judge that the MD5 value of file to be detected is the most consistent with the MD5 value of the MD5 value of normal executable file or virus document.
Step S208: according to matching result, determines that file to be detected is normal executable file or is virus document, if normal executable file, then lets pass;If virus document, then carry out checking and killing virus process, terminate this flow process.
Step S210: local antivirus software determines that file to be detected is unknown file, collects the fileinfo of this unknown file.
As, collect the MD5 value of this unknown file, and at least one following information: the company's copyright information etc. belonging to ProductName belonging to the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file.
Step S212: the fileinfo of this unknown file is analyzed by local antivirus software, determines whether this unknown file is secure file;If it is determined that this unknown file is not secure file, then record the MD5 value of this unknown file, forbid that this unknown file is run;If it is determined that this unknown file is secure file, then let pass.
Pass through the present embodiment, it is achieved that local antivirus software, to the detection of unknown file and defence, reduces the security risk of local system.
Embodiment three
With reference to Fig. 3, it is shown that the flow chart of steps of a kind of fileinfo collection method of three according to embodiments of the present invention.
The present embodiment is still the fileinfo collection scheme under corporate intranet scene, and the fileinfo collection method of the present invention, as a example by the control server end antivirus software of corporate intranet, is explained by the present embodiment.
The fileinfo collection method of the present embodiment comprises the following steps:
Step S302: the server that controls of corporate intranet obtains file content and the file content of virus document of normal executable file.
Step S304: control server and respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document.
Step S306: control server and the MD5 value of normal executable file and the MD5 value of virus document are preserved to the file feature data storehouse of the antivirus software controlling server, respectively as file characteristic and the file characteristic of virus document of normal executable file.
Step S308: the terminal of corporate intranet finds file to be detected, it is thus achieved that the file content of file to be detected, uses MD5 algorithm to the file content of file to be detected, obtains the MD5 value of file to be detected.
Wherein, file to be detected newly increases in being terminal file and/or the file being modified.
Step S310: terminal uses http protocol that the MD5 value of file to be detected is packaged into message, sends to controlling server.
As, terminal transmit a request to the MD5 value of file to be detected to control server as the content of POST with http protocol.
Step S312: control server and receive the message that terminal uses http protocol to encapsulate, obtain the MD5 value of file to be detected from message.
Step S314: control server and judge whether the MD5 value of file to be detected mates with the MD5 value of normal executable file and the MD5 value of virus document of storage in file feature data storehouse, if coupling, then perform step S316;If not mating, then perform step S318.
Step S316: control server, according to matching result, determines that file to be detected is normal executable file or is virus document, and returning file to be detected to terminal is normal executable file or the message for virus document, terminates this flow process.
Terminal, after receiving the message controlling server return, can carry out follow-up process according to message content, as killing is viral or performs file to be detected etc..
Step S318: control server and determine that file to be detected is unknown file, returning file to be detected to terminal is the message of unknown file, and notifies that terminal uploads the fileinfo of this unknown file.
Step S320: terminal uses http protocol to encapsulate the fileinfo of this unknown file, and is directly uploaded to by terminal backstage control server.
As, terminal uploads the MD5 value of this unknown file, and at least one following information: the company's copyright information etc. belonging to ProductName belonging to the digital signature of this unknown file, fileversion number, filename, this unknown file, Production Version, this unknown file.
In the present embodiment, terminal is the MD5 value of unknown file, and file digital signature, filename, fileversion number, ProductName, Production Version, company's copyright(copyright information), the content as POST sends control server with http protocol.
Step S322: control server and receive the fileinfo of the unknown file that terminal is directly uploaded by terminal backstage and preserve, returns to terminal and uploads success message.
Step S324: control server and the fileinfo of this unknown file is analyzed, determine whether this unknown file is secure file;If it is determined that be secure file, then notice terminal is let pass this unknown file;If it is determined that be not secure file, then recording the MD5 value of this unknown file, notice terminal forbids that this unknown file is run.
Such as, terminal place computer, under the subjective consciousness of user, inserts USB flash disk, replicates a file to the terminal of Intranet.At this time, terminal will mail to control server file characteristic inquires about, control to issue upload notifications to terminal when server judgement is unknown file, so terminal just mails to the fileinfo of this document to control server, control server and will record the fileinfo of this document, in order to make reference to manager.As, it is achieved the function of 360 privately owned clouds.360 privately owned clouds need to build private database, and private database is for controlling clearance and the disabling of all Intranet files, by being analyzed fileinfo, it may be determined that be to let pass or this forbids this document.
Pass through the present embodiment, achieve antivirus software terminal based on corporate intranet and control the C/S framework of server, terminal does the inquiry of file by http protocol, control server and pass through Query Result, unknown file is done upload notifications, and terminal sends the fileinfo of unknown file by next HTTP request.The scheme of the present embodiment can utilize antivirus software terminal at corporate intranet, the file characteristic (the such as MD5 value of file) of the file monitored, it is sent to control server authentication, it is not to be normal file when controlling server authentication result, when being not virus, this document is i.e. unknown file, controls server and i.e. notifies that antivirus software terminal is presented a paper information, and the fileinfo of submission will be saved on control server.Control server can control all terminals and upload file in need, also has the ability to notify terminal actively background scanning All Files, and unknown file Submission control server.Comparing traditional forms of enterprises's level any unknown file of antivirus software not management and control, intranet security risk and evidence obtaining will be relatively easy.
Embodiment four
With reference to Fig. 4, it is shown that the structured flowchart of a kind of fileinfo collection device of four according to embodiments of the present invention.
The fileinfo collection device of the present embodiment is arranged at the control server end of corporate intranet, this device includes: acquisition module 402, for obtaining the file characteristic of file to be detected from the terminal of corporate intranet, wherein, file to be detected newly increases in being terminal file and/or the file being modified;Judge module 404, for judging whether the file characteristic of file to be detected mates with the file characteristic of normal executable file and the file characteristic of virus document of storage in the file feature data storehouse controlled in server;Determine module 406, if judging that the file characteristic of file to be detected does not mates with the file characteristic of normal executable file and the file characteristic of virus document for judge module 404, it is determined that file to be detected is unknown file;Collection module 408, is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;Receive the fileinfo of the also unknown file that collection terminal is uploaded.
Preferably, the file characteristic of file to be detected is the MD5 value after the file content to file to be detected uses MD5 algorithm;The fileinfo collection device of the present embodiment also includes: preserve module 410, was used at acquisition module 402 before terminal obtains the file characteristic of file to be detected, obtains the file content of normal executable file and the file content of virus document;Respectively the file content of normal executable file and the file content of virus document are used MD5 algorithm, obtain the MD5 value of normal executable file and the MD5 value of virus document;MD5 value by normal executable file saves as the file characteristic of normal executable file, and the MD5 value of virus document saves as the file characteristic of virus document.
Preferably, acquisition module 402, for obtaining, from the terminal of corporate intranet, the MD5 value that terminal uses the file to be detected of http protocol encapsulation.
Preferably, collection module 408, it is the message of unknown file for returning file to be detected to terminal, and notifies that terminal uploads the fileinfo of unknown file;And, receive the fileinfo of the also unknown file that collection terminal is directly uploaded by terminal backstage, wherein, the fileinfo of unknown file uses http protocol encapsulation.
Preferably, the fileinfo collection device of the present embodiment also includes: analyze module 412, for after collection module 408 collects the fileinfo of unknown file, is analyzed the fileinfo of unknown file, determines whether unknown file is secure file;If it is determined that unknown file is not secure file, then records the MD5 value of unknown file, forbid that unknown file is run.
Preferably, the fileinfo of unknown file that collection module 408 is collected includes the MD5 value of unknown file, and at least one following information: the company's copyright information belonging to ProductName belonging to the digital signature of unknown file, fileversion number, filename, unknown file, Production Version, unknown file.
Preferably, the file newly increased in terminal is the most non-existent current new file in all terminals that terminal is confirmed by corporate intranet, corporate intranet;The file being modified is the most non-existent current amended file in all terminals that terminal is confirmed by corporate intranet, corporate intranet.
The fileinfo collection device of the present embodiment is for realizing the corresponding fileinfo collection method controlling server end in aforesaid plurality of embodiment of the method, and has the beneficial effect of corresponding embodiment of the method, does not repeats them here.
The fileinfo collection scheme of the unknown file that the present invention provides efficiently solves the problem that unknown file cannot effectively be detected and defend by existing antivirus software, it is achieved that the detection of unknown file and defence.In addition, control server mechanism of all of unknown file in distributed antivirus software terminal uploads enterprise, more other application based on this function can be realized, such as the transmission evidence obtaining of file, automatic identifying system to unknown file, based on the unknown file quantitative proportion in net and the safety estimation system of unknown file quantity in computer etc..
Algorithm is not intrinsic to any certain computer, virtual system or miscellaneous equipment relevant provided herein.Various general-purpose systems can also be used together with based on teaching in this.As described above, construct the structure required by the system with the present invention program to be apparent from.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use various programming languages realize the content of invention described herein, and the description done language-specific above is the preferred forms in order to disclose the present invention.
In description mentioned herein, illustrate a large amount of detail.It is to be appreciated, however, that embodiments of the invention can be put into practice in the case of not having these details.In some instances, it is not shown specifically known method, structure and technology, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to simplify that the disclosure helping understands in each inventive aspect, above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes.But, the method for the disclosure should not being construed to reflect an intention that, i.e. the present invention for required protection requires than the more feature of feature being expressly recited in each claim.More precisely, as the following claims reflect, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, the most each claim itself is as the independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.In addition at least some in such feature and/or process or unit excludes each other, can use any combination that all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or all processes of equipment or unit are combined.Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing identical, equivalent or similar purpose.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and formed different embodiments.Such as, in detail in the claims, one of arbitrarily can mode the using in any combination of embodiment required for protection.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with combinations thereof.It will be understood by those of skill in the art that the some or all functions of some or all parts in the fileinfo collection scheme of the unknown file that microprocessor or digital signal processor (DSP) can be used in practice to realize according to embodiments of the present invention.The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program).The program of such present invention of realization can store on a computer-readable medium, or can be to have the form of one or more signal.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims.In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims.Word " comprises " and does not excludes the presence of the element or step not arranged in the claims.Word "a" or "an" before being positioned at element does not excludes the presence of multiple such element.The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer.If in the unit claim listing equipment for drying, several in these devices can be specifically to be embodied by same hardware branch.Word first, second and third use do not indicate that any order.Can be title by these word explanations.