CN103778373B - Virus detection method and device - Google Patents

Virus detection method and device Download PDF

Info

Publication number
CN103778373B
CN103778373B CN201410012797.7A CN201410012797A CN103778373B CN 103778373 B CN103778373 B CN 103778373B CN 201410012797 A CN201410012797 A CN 201410012797A CN 103778373 B CN103778373 B CN 103778373B
Authority
CN
China
Prior art keywords
file
virtual machine
detected
incremental snapshot
image file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410012797.7A
Other languages
Chinese (zh)
Other versions
CN103778373A (en
Inventor
李龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Shenxinfu Electronic Technology Co Ltd filed Critical Shenzhen Shenxinfu Electronic Technology Co Ltd
Priority to CN201410012797.7A priority Critical patent/CN103778373B/en
Publication of CN103778373A publication Critical patent/CN103778373A/en
Application granted granted Critical
Publication of CN103778373B publication Critical patent/CN103778373B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a virus detection method and device. The virus detection method includes the steps of identifying a file type of a file to be detected; calling a virtual machine system mirror image file corresponding to the file type and / or an application program copyright incremental snapshot corresponding to the file to be detected; loading the virtual machine system mirror image file and / or the incremental snapshot by means of virtual machine software to generate a virtual machine instance, and operating the file to be detected on the virtual machine instance; detecting the operation state of the virtual machine instance, and analyzing whether the file to be detected includes viruses. The virus detection method and device have the advantage of being capable of carrying out virus detection on multiple copyright application programs on the same virtual machine system mirror image file.

Description

Method for detecting virus and device
Technical field
The present invention relates to computer realm, further relate to Intel Virtualization Technology, more particularly, to a kind of method for detecting virus and device.
Background technology
With the continuous development of computer technology, virus has been no longer limited in the executable file of exe form, html(Hypertext Markup Language, HTML)、pdf(Portable Document Format, Portable Document format)、swf(Shock wave Flash, the file format of animation software)Deng in the document of form all There may be.Because viral form is complicated and has certain dynamic characteristic, therefore to viral detection mode gradually by traditional Condition code technology turns to virtual execution technology.
Because viral triggering depends on specific software version, for example some viruses can only act on Internet Explorer6 browser or specific Adobe Reader(Pdf reader)Version, the software patch installing to this version or renewal After version, this viroid just no longer triggers.Simultaneously as the operating system version of client and Software Edition cannot be entered Row is it is assumed that therefore in order to analyze virus in the operation action in different software versions it will usually install different versions in virtual machine This application software, such as browser, Adobe Reader etc..But there is problems with this detection mode:Same software Different editions may not and be deposited, and the software of a large amount of different editions is likely to interfere with each other.
Content of the invention
In consideration of it, being necessary to provide a kind of method for detecting virus and device, can not be for difference to solve same virtual machine The application software of version carries out the problem of Viral diagnosis.
The embodiment of the invention discloses a kind of method for detecting virus, comprise the following steps:
Identify the file type of file to be detected;
According to described file type, call described file type corresponding dummy machine system image file and/or described treat The incremental snapshot of the detection corresponding application version of file;
Load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate virtual machine instance, And described file to be detected is run on virtual machine instance;
Detect the running status of described virtual machine instance, analyze whether described file to be detected comprises virus.
Preferably, the incremental snapshot of described application version includes the corresponding increasing of at least one version of described application program Amount snapshot.
Preferably, described utilization software virtual machine loads described dummy machine system image file and incremental snapshot, generates empty Plan machine example, and described file to be detected is run on virtual machine instance, including:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, it is fast that generation comprises described increment Virtual machine instance according to the application version of mapping;
Using described virtual machine instance, open described file to be detected.
Preferably, the described file type identifying file to be detected, also includes before:
Configure each operating system corresponding described dummy machine system image file respectively, according to the described virtual machine system of configuration System image file, generates virtual machine instance using software virtual machine, and corresponding virtual in described dummy machine system image file The application program of default version is installed on machine example, generates incremental snapshot and store.
Preferably, whether the described file to be detected of described analysis comprises virus, including:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operation system needed for described virus outburst Application version needed for system and/or described virus outburst.
The embodiment of the present invention is also disclosed a kind of Viral diagnosis device, including:
Type identification module, for identifying the file type of file to be detected;
Virtual machine image and incremental snapshot calling module, for according to described file type, calling described file type pair The dummy machine system image file answered and/or the incremental snapshot of the corresponding application version of described file to be detected;
Virtual operation module, for fast using the software virtual machine described dummy machine system image file of loading and/or increment According to, generation virtual machine instance, and described file to be detected is run on virtual machine instance;
Whether anti-viral detection module, for detecting the running status of described virtual machine instance, analyze described file to be detected Comprise virus.
Preferably, the incremental snapshot of described application version includes the corresponding increasing of at least one version of described application program Amount snapshot.
Preferably, described virtual operation module is additionally operable to:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, it is fast that generation comprises described increment Virtual machine instance according to the application version of mapping;
Using described virtual machine instance, open described file to be detected.
Preferably, described Viral diagnosis device also includes:
Incremental snapshot configuration module, for configuring each operating system corresponding described dummy machine system image file respectively, According to the described dummy machine system image file of configuration, generate virtual machine instance using software virtual machine, and in described virtual machine The application program of default version is installed on the corresponding virtual machine instance of system image file, generates incremental snapshot and store.
Preferably, described anti-viral detection module is additionally operable to:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operation system needed for described virus outburst Application version needed for system and/or described virus outburst.
The embodiment of the present invention identifies the file type of file to be detected;According to described file type, call described files classes Type corresponding dummy machine system image file;Meanwhile, call the increment of the corresponding application version of described file to be detected fast According to;Load described dummy machine system image file using software virtual machine and/or incremental snapshot generates virtual machine instance, and in institute State and described file to be detected is run on virtual machine instance;Detect the running status of described virtual machine instance, analysis is described to be detected Whether file comprises virus;Compared in prior art, by installing the application software of different editions in virtual machine to file The method carrying out Viral diagnosis, the embodiment of the present invention has on same dummy machine system image file, for multi version application Program all can carry out the beneficial effect of Viral diagnosis;Further, due to different editions can be configured for same virtual machine Application program incremental snapshot, therefore reduces disk storage space, has saved carrying cost, also improves detecting system simultaneously Scalability.
Brief description
Fig. 1 is method for detecting virus first embodiment schematic flow sheet of the present invention;
Fig. 2 is method for detecting virus second embodiment schematic flow sheet of the present invention;
Fig. 3 is Viral diagnosis device first embodiment high-level schematic functional block diagram of the present invention;
Fig. 4 is Viral diagnosis device second embodiment high-level schematic functional block diagram of the present invention.
The realization of embodiment of the present invention purpose, functional characteristics and advantage will be done furtherly in conjunction with the embodiments referring to the drawings Bright.
Specific embodiment
Further illustrate technical scheme below in conjunction with Figure of description and specific embodiment.It should be appreciated that this The described specific embodiment in place, only in order to explain the present invention, is not intended to limit the present invention.
Fig. 1 is method for detecting virus first embodiment schematic flow sheet of the present invention;As shown in figure 1, Viral diagnosis of the present invention Method comprises the following steps:
Step S01, the file type of identification file to be detected;
System receives the file to be detected of user's transmission, or system voluntarily grabs corresponding data and need to carry out virus During detection, the file type of system identification file to be detected;Such as, identify that whether this file to be detected is exe file, is whether The file types such as pdf file.
Step S02, according to described file type, call described file type corresponding dummy machine system image file and/ Or the incremental snapshot of the corresponding application version of described file to be detected;
The file type of the file to be detected according to identification for the system, calls from data base that this document type is corresponding to deposit The dummy machine system image file of storage;In the embodiment of the present invention, described dummy machine system image file can be understood as one kind and deposits Contain whole virtual machine state(Including information such as disk, internal memories)Persistency wave file, dummy machine system image file lead to The memory space often taking is larger, and such as windows XP system image file typically constitutes from the memory space with several GB.
Such as, the file type that system identification goes out this file to be detected is exe file, then analyze the operation of this exe file Environment is 32 or 64 running environment, and according to call by result running environment corresponding dummy machine system image file.When When the file type identifying file to be detected is for exe file or other kinds of executable program corresponding file, due to this File to be detected does not need to can perform by other third party applications, and therefore system need not obtain this file pair to be detected The incremental snapshot of the application version answered, system only obtains the dummy machine system corresponding to the file type of this file to be detected Image file, the operating system being provided using this dummy machine system image file, you can execute this file to be detected.
When system identification goes out the file type of this file to be detected need to can by other or third party application During the file of execution, while system obtains the dummy machine system image file corresponding to the file type of this file to be detected, System calls the incremental snapshot of the application version of this file to be detected.
In the embodiment of the present invention, described other or third party application include but is not limited to reader, browser, literary composition The application programs such as shelves editing machine.
In the embodiment of the present invention, the incremental snapshot of described application version can be understood as:Based on single virtual machine system The modification of system image file all writes in incremental snapshot file, without affecting original dummy machine system image file;And The incremental snapshot of multiple time points can be created based on identical dummy machine system image file, multiple system mends are such as installed When, incremental snapshot can be made for the recovery in each stage.Under normal circumstances, incremental snapshot file will be far smaller than virtual machine system System image file, such as between the snapshot document size normally about 10MB~40MB of software virtual machine QEMU, and dummy machine system The memory space that image file takies then up to number GB, the therefore embodiment of the present invention can also be greatlyd save using incremental snapshot and deposit Storage space.
In the preferred embodiment of the present invention, system is according to the file type of file to be detected and actually detected need Will, the incremental snapshot of the corresponding application version of file to be detected that can disposably call includes:Described application program is extremely The corresponding incremental snapshot of a few version, and/or the corresponding incremental snapshot of all versions that at least one application program is commonly used.Than As for pdf document, system calls reader Adobe Reader8.0 and Adobe Reader9.0, and corresponding increment is fast respectively According to;Such as word document, system can call word2003, word2007, word2013, WPS2003, WPS2007, The corresponding incremental snapshot of the application programs such as WPS2010, WPS2013.
Step S03, load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate empty Plan machine example, and described file to be detected is run on described virtual machine instance;
When system is according to the file type such as exe executable file of file to be detected, only have invoked this document type pair During the dummy machine system image file answered, the operating system that system is provided based on the dummy machine system image file calling, in void This file to be detected of virtual execution on plan machine.In the embodiment of the present invention, described virtual execution can be understood as:By simulation code The behavior to detect code for the performing environment.
When system is according to the file type of file to be detected, call this document type corresponding dummy machine system image file And the corresponding application version of this file to be detected incremental snapshot when, system loads described virtual on software virtual machine Machine system image file and described incremental snapshot, generate the virtual machine comprising the corresponding application version of described incremental snapshot real Example;Using described virtual machine instance, system opens described file to be detected.
Dummy machine system mirror image described in the embodiment of the present invention and incremental snapshot form are all with the literary composition of software virtual machine QEMU It is described as a example part form qcow2, embodiment of the present invention method for detecting virus and device are to software virtual machine, dummy machine system The concrete form of mirror image and incremental snapshot does not limit.
Such as, when file to be detected is word document, system, according to the file type of word document, calls virtual machine system System image file is windows-XP.qcow2, calls the incremental snapshot of the corresponding application version of this word document simultaneously Word2003.qcow2, word2007.qcow2 and word2013.qcow2;Corresponded to based on the windows-XP.qcow2 calling Operating system windows-XP, system start-up incremental snapshot word2003.qcow2, word2007.qcow2 and Word2013.qcow2, generate comprise described incremental snapshot word2003.qcow2, word2007.qcow2 and The virtual machine instance of the application version of word2013.qcow2 mapping, such as word2003, word2007 and word2013 this 3 Individual virtual machine instance;Using this 3 virtual machine instance of above-mentioned word2003, word2007 and word2013, open to be detected Suspicious word document.
Step S04, the running status of the described virtual machine instance of detection, analyze whether described file to be detected comprises virus.
The running status of system detectio virtual machine instance, according to the running status of virtual machine instance, analyzes file to be detected Whether comprise virus.Such as, system scans virtual machine and runs the memory headroom of process with the presence or absence of flooding code;If existing described Flooding code, then identify that described file to be detected comprises virus.Or:System detectio virtual machine whether there is internal memory and overflows now As;If there is internal memory spillover, identify that described file to be detected comprises virus.Or:Whether system detectio virtual machine is deposited Behavior in modification critical system file or crucial registry entry;If there is modification critical system file or crucial registration table The behavior of item, then identify that described file to be detected comprises virus.Or:The parameter of the Key Functions of system detectio virtual machine call Whether legal;If the parameter of the described Key Functions calling is illegal, identify that described file to be detected comprises virus, etc. inspection Survey mode.Above-mentioned detection mode can be independently operated, and can also be used in combination.System can also integrated virtual machine run when each Plant and can be associated analyzing with feature, such as detected after internal memory overflow problem using internal memory stain analytical technology, system is right again Suspicious region of memory carries out shellcode(Flooding code)Scanning, thus be associated analyzing.Certainly, systematic analysiss are to be detected Whether file comprises virus is not limited only to the above-mentioned analysis mode enumerated, and the embodiment of the present invention does not carry out poor one by one to it Lift.
In the preferred embodiment of the present invention, during the comprised virus of file to be detected described in systematic analysiss, system also can Enough obtain the malicious act of described virus, and needed for the operating system needed for described virus outburst and/or described virus outburst Application version.
The embodiment of the present invention is taken virtual machine incremental snapshot technology to carry out Viral diagnosis and be can reach following beneficial effect:
(1), misdetection rate low:Using the incremental snapshot of various software version, apocrypha can be analyzed in various software version Operation conditions is low to the viral misdetection rate depending on particular version;
(2), storage take few:Incremental snapshot is much smaller than dummy machine system image file, and because by incremental snapshot shape Formula is realized multi version and is deposited, and relatively same virtual machine installs different software versions, does not result in software version interference, saves and deposit Storage space;
(3), favorable expandability:If desired for the new application software of increase or system mend it is only necessary to be based on original virtual machine After system image installs new application software or system mend, make incremental snapshot, and be added in virtual machine snapshot storehouse.By In can quickly realize the expansion to new software version, it is beneficial to the detection that virus such as 0day is attacked.
Fig. 2 is method for detecting virus second embodiment schematic flow sheet of the present invention;The embodiment of the present invention is implemented with described in Fig. 1 The difference of example is, in the embodiment of the present invention, system, before Virus Sample is detected, arranges dummy machine system mirror image first File and the incremental snapshot of corresponding application version, ready for subsequently carrying out Virus Sample detection.
Based on the description of embodiment described in Fig. 1, as shown in Fig. 2 method for detecting virus of the present invention is treated in step S01, identification The file type of detection file, also includes before:
Step S10, each operating system of configuration corresponding described dummy machine system image file respectively, according to configuration Dummy machine system image file, generates virtual machine instance using software virtual machine, and in described dummy machine system image file pair The application program of default version is installed on the virtual machine instance answered, generates incremental snapshot and store.
The embodiment of the present invention is only described to step S10, other steps involved by relevant method for detecting virus of the present invention Suddenly refer to the specific descriptions of related embodiment, will not be described here.
As shown in Fig. 2 in the embodiment of the present invention, system configures each operating system first and is distinguished corresponding dummy machine system Image file, such as the configuration corresponding dummy machine system image file of windows XP operating system are windows- XP.qcow2, configuration windows7 operating system corresponding dummy machine system image file is windows-7.qcow2 etc..System Each operating system corresponding dummy machine system image file of configuration is the dummy machine system image file of pure version, i.e. this void The corresponding operating system of plan machine system image file in addition to application program necessary to system operation, do not include other any Tripartite's application program.After configuring dummy machine system image file, start dummy machine system image file, using software virtual machine Generate virtual machine instance, and in the corresponding virtual machine instance of dummy machine system image file starting, corresponding application journey is installed Sequence and the different editions of each application program, the increment generating this corresponding application version of dummy machine system image file is fast According to and store, form corresponding dummy machine system image file storehouse and incremental snapshot storehouse, during for Viral diagnosis, system is according to be checked Survey the file type of file and file to be detected, call corresponding dummy machine system image file and/or incremental snapshot.
So that the incremental snapshot of Adobe Reader version is generated on Windows XP system as a example, to describe the present invention and to implement The implementation process of example.
The operating system dummy machine system image file windows-XP.qcow2 of one pure version of system configuration, configures Cheng Hou, starts dummy machine system image file, and the running environment being provided based on the dummy machine system image file starting, in this fortune Adobe Reader8.0 is installed under row environment, generates the corresponding incremental snapshot of Adobe Reader8.0 for virtual machine simultaneously, During this of generation incremental snapshot, the described dummy machine system image file of configuration does not have any change.System stores The above-mentioned incremental snapshot generating is adobe-reader-8.qcow2;Same method, system installs Adobe Reader9.0, Generate the corresponding incremental snapshot of Adobe Reader9.0, the above-mentioned incremental snapshot that system storage generates is adobe-reader- 9.qcow2.
The embodiment of the present invention configuration dummy machine system image file and corresponding incremental snapshot of application version, for follow-up System detectio file to be detected provides the dummy machine system image file data base that can call and incremental snapshot data base.
Fig. 3 is Viral diagnosis device first embodiment high-level schematic functional block diagram of the present invention;As shown in figure 3, the present invention is viral Detection means includes:Type identification module 01, virtual machine image and incremental snapshot calling module 02, virtual operation module 03 and disease Malicious detection module 04.
Type identification module 01, for identifying the file type of file to be detected;
System receives the file to be detected of user's transmission, or system voluntarily grabs corresponding data and need to carry out virus During detection, type identification module 01 identifies the file type of file to be detected;Such as, type identification module 01 identifies that this is to be detected Whether whether file be exe file, be the file types such as pdf file.
Virtual machine image and incremental snapshot calling module 02, for according to described file type, calling described file type Corresponding dummy machine system image file and/or the incremental snapshot of the corresponding application version of described file to be detected;
The literary composition of the file to be detected that virtual machine image and incremental snapshot calling module 02 identify according to type identification module 01 Part type, calls the dummy machine system image file of the corresponding storage of this document type from data base;The embodiment of the present invention In, described dummy machine system image file can be understood as one kind and is stored with whole virtual machine state(Including the letter such as disk, internal memory Breath)Persistency wave file, the memory space that dummy machine system image file generally takes up is larger, such as windows XP system System image file typically constitutes from the memory space with several GB.
Such as, type identification module 01 identify this file to be detected file type be exe file, virtual machine image and The running environment that incremental snapshot calling module 02 analyzes this exe file is 32 or 64 running environment, and is adjusted according to result With running environment corresponding dummy machine system image file.When the file type that type identification module 01 identifies file to be detected is When exe file or the corresponding file of other kinds of executable program, due to this file to be detected do not need by other Tripartite's application program can perform, and therefore virtual machine image and incremental snapshot calling module 02 need not obtain this file pair to be detected The incremental snapshot of the application version answered, virtual machine image and incremental snapshot calling module 02 only obtain this file to be detected Dummy machine system image file corresponding to file type, the operation system being provided using this dummy machine system image file System, you can execute this file to be detected.
When type identification module 01 identifies that the file type of this file to be detected need to be by other or third-party application During the file that program can execute, the files classes of virtual machine image and incremental snapshot calling module 02 this file to be detected of acquisition While dummy machine system image file corresponding to type, virtual machine image and incremental snapshot calling module 02 call this to be detected The incremental snapshot of the application version of file.
In the embodiment of the present invention, described other or third party application include but is not limited to reader, browser, literary composition The application programs such as shelves editing machine.
In the embodiment of the present invention, the incremental snapshot of described application version can be understood as:Based on single virtual machine system The modification of system image file all writes in incremental snapshot file, without affecting original dummy machine system image file;And The incremental snapshot of multiple time points can be created based on identical dummy machine system image file, multiple system mends are such as installed When, incremental snapshot can be made for the recovery in each stage.Under normal circumstances, incremental snapshot file will be far smaller than virtual machine system System image file, such as between the snapshot document of software virtual machine QEMU normally about 10MB~40MB, and dummy machine system mirror image It is empty that the memory space that file takies then up to number GB, the therefore embodiment of the present invention can also greatly save storage using incremental snapshot Between.
In the preferred embodiment of the present invention, virtual machine image and incremental snapshot calling module 02 are according to file to be detected File type and actually detected needs, the increment of the corresponding application version of file to be detected that can disposably call Snapshot includes:The corresponding incremental snapshot of at least one version of described application program, and/or the institute that at least one application program is commonly used There is the corresponding incremental snapshot of version.Such as, for pdf document, virtual machine image and incremental snapshot calling module 02 call reading Device Adobe Reader8.0 and Adobe Reader9.0 corresponding incremental snapshot respectively;Such as word document, virtual machine Mirror image and incremental snapshot calling module 02 can call word2003, word2007, word2013, WPS2003, WPS2007, The corresponding incremental snapshot of the application programs such as WPS2010, WPS2013.
Virtual operation module 03, for loading described dummy machine system image file and/or increment using software virtual machine Snapshot generates virtual machine instance, and runs described file to be detected in described virtual machine instance;
When virtual machine image and incremental snapshot calling module 02 can perform according to the file type such as exe of file to be detected File, when only have invoked this document type corresponding dummy machine system image file, virtual operation module 03 is based on the void called The operating system that plan machine system image file provides, this file to be detected of virtual execution on a virtual machine.In the embodiment of the present invention, Described virtual execution can be understood as:Detect the behavior of code by the performing environment of simulation code.
When virtual machine image and incremental snapshot calling module 02 are according to the file type of file to be detected, call this document class During the incremental snapshot of type corresponding dummy machine system image file and the corresponding application version of this file to be detected, virtual Run module 03 and described dummy machine system image file and described incremental snapshot are loaded on software virtual machine, generate described in comprising The virtual machine instance of the corresponding application version of incremental snapshot;Using described virtual machine instance, virtual operation module 03 is opened Described file to be detected.
Dummy machine system mirror image described in the embodiment of the present invention and incremental snapshot form are all with the literary composition of software virtual machine QEMU It is described as a example part form qcow2, embodiment of the present invention method for detecting virus and device are to software virtual machine, dummy machine system The concrete form of mirror image and incremental snapshot does not limit.
Such as, when type identification module 01 identifies that file to be detected is word document, virtual machine image and incremental snapshot Calling module 02, according to the file type of word document, calls dummy machine system image file to be windows-XP.qcow2, with When call the corresponding application version of this word document incremental snapshot word2003.qcow2, word2007.qcow2 and word2013.qcow2;Based on corresponding operating system windows-XP of the windows-XP.qcow2 calling, virtual operation mould Block 03 starts incremental snapshot word2003.qcow2, word2007.qcow2 and word2013.qcow2, generates and comprises described increasing The virtual machine of the application version of amount snapshot word2003.qcow2, word2007.qcow2 and word2013.qcow2 mapping Example, such as this 3 virtual machine instance of word2003, word2007 and word2013;Using above-mentioned word2003, word2007 and This 3 virtual machine instance of word2013, virtual operation module 03 opens suspicious word document to be detected.
Anti-viral detection module 04, for detecting the running status of described virtual machine instance, analyzing described file to be detected is No comprise virus.
Anti-viral detection module 04 detects the running status of virtual machine instance, according to the running status of virtual machine instance, analyzes Whether file to be detected comprises virus.Such as, whether the memory headroom of anti-viral detection module 04 scanning virtual machine operation process is deposited In flooding code;If there is described flooding code, identify that described file to be detected comprises virus.Or:Anti-viral detection module 04 detection virtual machine whether there is internal memory spillover;If there is internal memory spillover, identify that described file to be detected comprises Virus.Or:Anti-viral detection module 04 detects that virtual machine whether there is modification critical system file or crucial registry entry Behavior;If there is modification critical system file or the behavior of crucial registry entry, identify that described file to be detected comprises disease Poison.Or:Anti-viral detection module 04 detects whether the parameter of the Key Functions of virtual machine call is legal;If the described key called The parameter of function is illegal, then identify that described file to be detected comprises virus, etc. detection mode.Above-mentioned detection mode can be only Stand using it is also possible to be used in combination.Anti-viral detection module 04 can also integrated virtual machine various can be carried out with feature when running Association analysiss, such as detect after internal memory overflow problem using internal memory stain analytical technology, anti-viral detection module 04 is again to suspicious Region of memory carries out shellcode scanning, thus being associated analyzing.Certainly, anti-viral detection module 04 analyzes file to be detected Whether comprise virus and be not limited only to the above-mentioned analysis mode enumerated, the embodiment of the present invention does not carry out to it exhaustive one by one.
In the preferred embodiment of the present invention, anti-viral detection module 04 analyzes the comprised virus of described file to be detected When, anti-viral detection module 04 also can obtain the malicious act of described virus, and the operating system needed for described virus outburst And/or the application version needed for described virus outburst.
The embodiment of the present invention is taken virtual machine incremental snapshot technology to carry out Viral diagnosis and be can reach following beneficial effect:
(1), misdetection rate low:Using the incremental snapshot of various software version, apocrypha can be analyzed in various software version Operation conditions is low to the viral misdetection rate depending on particular version;
(2), storage take few:Incremental snapshot is much smaller than dummy machine system image file, and because by incremental snapshot shape Formula is realized multi version and is deposited, and relatively same virtual machine installs different software versions, does not result in software version interference, saves and deposit Storage space;
(3), favorable expandability:If desired for the new application software of increase or system mend it is only necessary to be based on original virtual machine After system image installs new application software or system mend, make incremental snapshot, and be added in virtual machine snapshot storehouse.By In can quickly realize the expansion to new software version, it is beneficial to the detection that virus such as 0day is attacked.
Fig. 4 is Viral diagnosis device second embodiment high-level schematic functional block diagram of the present invention.Described in the embodiment of the present invention and Fig. 3 The difference of embodiment is, in the embodiment of the present invention, Viral diagnosis device, before Virus Sample is detected, arranges empty first Plan machine system image file and the incremental snapshot of corresponding application version, carry out standard for subsequently carrying out Virus Sample detection Standby.
Based on the description of embodiment described in Fig. 3, as shown in figure 4, Viral diagnosis device of the present invention also includes:
Incremental snapshot configuration module 05, for configuring each operating system corresponding described dummy machine system mirror image literary composition respectively Part, according to the described dummy machine system image file of configuration, generates virtual machine instance using software virtual machine, and described virtual The application program of default version is installed on the corresponding virtual machine instance of machine system image file, generates incremental snapshot and store.
The embodiment of the present invention is only described to incremental snapshot configuration module 05, involved by relevant Viral diagnosis device of the present invention And other modules refer to the specific descriptions of related embodiment, will not be described here.
As shown in figure 4, in the embodiment of the present invention, it is right respectively that incremental snapshot configuration module 05 configures each operating system institute first The dummy machine system image file answered, such as configuring the corresponding dummy machine system image file of windows XP operating system is Windows-XP.qcow2, configuration windows7 operating system corresponding dummy machine system image file is windows- 7.qcow2 etc..Each operating system corresponding dummy machine system image file of incremental snapshot configuration module 05 configuration is pure Version dummy machine system image file, that is, this corresponding operating system of dummy machine system image file except system operation institute necessary Application program outside, do not include other any third party applications.After configuring dummy machine system image file, incremental snapshot Configuration module 05 starts dummy machine system image file, generates virtual machine instance using software virtual machine, and virtual start Corresponding application program and the different editions of each application program are installed on the corresponding virtual machine instance of machine system image file, raw Become the incremental snapshot of this corresponding application version of dummy machine system image file and store, form corresponding dummy machine system Image file storehouse and incremental snapshot storehouse, during for Viral diagnosis, virtual machine image and incremental snapshot calling module 02 are according to be detected File and the file type of file to be detected, call corresponding dummy machine system image file and/or incremental snapshot.
The incremental snapshot of Adobe Reader version is generated with incremental snapshot configuration module 05 on Windows XP system As a example, the implementation process of the embodiment of the present invention to be described.
Incremental snapshot configuration module 05 configures the operating system dummy machine system image file windows- of a pure version XP.qcow2, after the completion of configuration, incremental snapshot configuration module 05 starts dummy machine system image file, based on the virtual machine starting The running environment that system image file provides, installs Adobe Reader8.0, simultaneously incremental snapshot configuration under this running environment Module 05 generates the corresponding incremental snapshot of Adobe Reader8.0 for virtual machine, during generating this of incremental snapshot, increases The described dummy machine system image file of amount snapshot configuration module 05 configuration does not have any change.Incremental snapshot configuration module 05 The above-mentioned incremental snapshot that storage generates is adobe-reader-8.qcow2;Same method, incremental snapshot configuration module 05 is pacified Dress Adobe Reader9.0, generates the corresponding incremental snapshot of Adobe Reader9.0, incremental snapshot configuration module 05 storage life The above-mentioned incremental snapshot becoming is adobe-reader-9.qcow2.
The embodiment of the present invention configuration dummy machine system image file and corresponding incremental snapshot of application version, for follow-up System detectio file to be detected provides the dummy machine system image file data base that can call and incremental snapshot data base.
It should be noted that herein, term " inclusion ", "comprising" or its any other variant are intended to non-row The comprising of his property, so that including a series of process of key elements, method, article or device not only include those key elements, and And also include other key elements of being not expressly set out, or also include intrinsic for this process, method, article or device institute Key element.In the absence of more restrictions, the key element being limited by sentence "including a ..." is it is not excluded that including being somebody's turn to do Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by the mode of software plus necessary general hardware platform naturally it is also possible to pass through hardware, but in many cases The former is more preferably embodiment.Based on such understanding, technical scheme is substantially done to prior art in other words Go out partly can embodying in the form of software product of contribution, this computer software product is stored in a storage medium (As ROM/RAM, magnetic disc, CD)In, including some instructions with so that a station terminal equipment(Can be mobile phone, computer, clothes Business device, or the network equipment etc.)Method described in execution each embodiment of the present invention.
The foregoing is only the preferred embodiments of the present invention, not thereby limit its scope of the claims, every utilization present invention Equivalent structure or equivalent flow conversion that description and accompanying drawing content are made, are directly or indirectly used in other related technology necks Domain, is included within the scope of the present invention.

Claims (10)

1. a kind of method for detecting virus is it is characterised in that comprise the following steps:
Identify the file type of file to be detected;
According to described file type, call described file type corresponding dummy machine system image file and/or described to be detected The incremental snapshot of the corresponding application version of file;
Load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate virtual machine instance, and Described file to be detected is run on described virtual machine instance;
Detect the running status of described virtual machine instance, analyze whether described file to be detected comprises virus.
2. the method for claim 1 is it is characterised in that the incremental snapshot of described application version includes described application The corresponding incremental snapshot of at least one version of program.
3. the method for claim 1 is it is characterised in that load described dummy machine system mirror image literary composition using software virtual machine Part and incremental snapshot, generate virtual machine instance, and run described file to be detected in described virtual machine instance, including:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, generation comprises described incremental snapshot and reflects The virtual machine instance of the application version penetrated;
Using described virtual machine instance, open described file to be detected.
4. the method for claim 1, it is characterised in that the file type of described identification file to be detected, is also wrapped before Include:
Configure each operating system corresponding described dummy machine system image file respectively, according to the described dummy machine system mirror of configuration As file, generate virtual machine instance using software virtual machine, and real in the corresponding virtual machine of described dummy machine system image file The application program of default version is installed on example, generates incremental snapshot and store.
5. the method as described in any one of claim 1-4 is it is characterised in that whether file to be detected as described in described analysis comprises Virus, including:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operating system needed for described virus outburst And/or the application version needed for described virus outburst.
6. a kind of Viral diagnosis device is it is characterised in that include:
Type identification module, for identifying the file type of file to be detected;
Virtual machine image and incremental snapshot calling module, corresponding for according to described file type, calling described file type Dummy machine system image file and/or the incremental snapshot of the corresponding application version of described file to be detected;
Virtual operation module, for loading described dummy machine system image file and/or incremental snapshot using software virtual machine, raw Become virtual machine instance, and described file to be detected is run on described virtual machine instance;
Anti-viral detection module, for detecting the running status of described virtual machine instance, analyzes whether described file to be detected comprises Virus.
7. device as claimed in claim 6 is it is characterised in that the incremental snapshot of described application version includes described application The corresponding incremental snapshot of at least one version of program.
8. device as claimed in claim 6 is it is characterised in that described virtual operation module is additionally operable to:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, generation comprises described incremental snapshot and reflects The virtual machine instance of the application version penetrated;
Using described virtual machine instance, open described file to be detected.
9. device as claimed in claim 6 is it is characterised in that also include:
Incremental snapshot configuration module, for configuring each operating system corresponding described dummy machine system image file respectively, according to The described dummy machine system image file of configuration, generates virtual machine instance using software virtual machine, and in described dummy machine system The application program of default version is installed on the corresponding virtual machine instance of image file, generates incremental snapshot and store.
10. the device as described in any one of claim 6-9 is it is characterised in that described anti-viral detection module is additionally operable to:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operating system needed for described virus outburst And/or the application version needed for described virus outburst.
CN201410012797.7A 2014-01-10 2014-01-10 Virus detection method and device Active CN103778373B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410012797.7A CN103778373B (en) 2014-01-10 2014-01-10 Virus detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410012797.7A CN103778373B (en) 2014-01-10 2014-01-10 Virus detection method and device

Publications (2)

Publication Number Publication Date
CN103778373A CN103778373A (en) 2014-05-07
CN103778373B true CN103778373B (en) 2017-02-08

Family

ID=50570597

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410012797.7A Active CN103778373B (en) 2014-01-10 2014-01-10 Virus detection method and device

Country Status (1)

Country Link
CN (1) CN103778373B (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105701012B (en) * 2015-12-30 2019-02-12 Oppo广东移动通信有限公司 A kind of parameter setting method and device
CN107659540B (en) * 2016-07-25 2021-01-26 中兴通讯股份有限公司 Dynamic behavior analysis method, device, system and equipment
CN106708598B (en) * 2016-07-29 2021-03-19 腾讯科技(深圳)有限公司 Virus analysis environment building method and device
CN106778268A (en) * 2016-11-28 2017-05-31 广东省信息安全测评中心 Malicious code detecting method and system
CN106778246A (en) * 2016-12-01 2017-05-31 北京奇虎科技有限公司 The detection method and detection means of sandbox virtualization
CN106557355A (en) * 2016-12-01 2017-04-05 北京奇虎科技有限公司 The generation method and generating means of virtual machine image
CN107346390A (en) * 2017-07-04 2017-11-14 深信服科技股份有限公司 A kind of malice sample testing method and device
CN111027052A (en) * 2019-01-31 2020-04-17 深圳市安之天信息技术有限公司 Application program version-based virtual machine document discrimination method and device and storage equipment
CN110737506A (en) * 2019-09-10 2020-01-31 江苏中云科技有限公司 virtual machine image version management method
CN111966457B (en) * 2020-08-10 2024-04-19 华中科技大学 Malicious code detection method and system based on snapshot
CN114996226B (en) * 2021-11-05 2023-03-31 荣耀终端有限公司 Icon detection method, electronic device, readable storage medium, and program product
CN114282214B (en) * 2021-12-17 2022-10-21 北京天融信网络安全技术有限公司 Virus checking and killing method and device and electronic equipment
CN115329343B (en) * 2022-08-23 2023-04-07 武汉能量云计算科技有限公司 Method and system for processing information security loophole
CN116502225B (en) * 2023-06-20 2023-09-19 杭州海康威视数字技术股份有限公司 Virus scanning method and device for self-adaptive packet redundancy arrangement and electronic equipment
CN116680696B (en) * 2023-08-04 2024-02-13 深圳市科力锐科技有限公司 Virus program detection method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101281571A (en) * 2008-04-22 2008-10-08 白杰 Method for defending unknown virus program
CN101977188A (en) * 2010-10-14 2011-02-16 中国科学院计算技术研究所 Malicious program detection system
CN103150509A (en) * 2013-03-15 2013-06-12 长沙文盾信息技术有限公司 Virus detection system based on virtual execution
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101281571A (en) * 2008-04-22 2008-10-08 白杰 Method for defending unknown virus program
CN101977188A (en) * 2010-10-14 2011-02-16 中国科学院计算技术研究所 Malicious program detection system
CN103150506A (en) * 2013-02-17 2013-06-12 北京奇虎科技有限公司 Method and device for detecting rogue program
CN103150509A (en) * 2013-03-15 2013-06-12 长沙文盾信息技术有限公司 Virus detection system based on virtual execution

Also Published As

Publication number Publication date
CN103778373A (en) 2014-05-07

Similar Documents

Publication Publication Date Title
CN103778373B (en) Virus detection method and device
CN104049986B (en) plug-in loading method and device
US9117079B1 (en) Multiple application versions in a single virtual machine
US7900202B2 (en) Identification of software execution data
US20130117855A1 (en) Apparatus for automatically inspecting security of applications and method thereof
CN100481101C (en) Method for computer safety start
CN102254111A (en) Malicious site detection method and device
CN103839003A (en) Malicious file detection method and device
CN109255235B (en) Mobile application third-party library isolation method based on user state sandbox
CN102254113A (en) Method and system for detecting and intercepting malicious code of mobile terminal
CN111737692B (en) Application program risk detection method and device, equipment and storage medium
CN101364988A (en) Method and apparatus determining webpage security
CA2674327C (en) Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor
CN108197476B (en) Vulnerability detection method and device for intelligent terminal equipment
CN102467628A (en) Method for protecting data based on browser kernel intercept technology
CN112256296A (en) Express delivery service APP updating method, device, equipment and storage medium based on Weex
CN107808096A (en) Method, terminal device and the storage medium of malicious code are injected into during detection APK operations
CN112738094A (en) Expandable network security vulnerability monitoring method, system, terminal and storage medium
CN108229168B (en) Heuristic detection method, system and storage medium for nested files
US8418170B2 (en) Method and system for assessing deployment and un-deployment of software installations
US8006242B2 (en) Identification of software configuration data
JP2010134536A (en) Pattern file update system, pattern file update method, and pattern file update program
CN116451271A (en) Automatic privacy policy extraction method for application software
Zhan et al. Splitting third-party libraries’ privileges from android apps
CN114491528A (en) Malicious software detection method, device and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer

Patentee after: SINFOR Polytron Technologies Inc

Address before: 518052 room 410-413, science and technology innovation service center, No. 1 Qilin Road, Shenzhen, Guangdong, China

Patentee before: Shenxinfu Electronics Science and Technology Co., Ltd., Shenzhen

CP03 Change of name, title or address