CN103778373B - Virus detection method and device - Google Patents
Virus detection method and device Download PDFInfo
- Publication number
- CN103778373B CN103778373B CN201410012797.7A CN201410012797A CN103778373B CN 103778373 B CN103778373 B CN 103778373B CN 201410012797 A CN201410012797 A CN 201410012797A CN 103778373 B CN103778373 B CN 103778373B
- Authority
- CN
- China
- Prior art keywords
- file
- virtual machine
- detected
- incremental snapshot
- image file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a virus detection method and device. The virus detection method includes the steps of identifying a file type of a file to be detected; calling a virtual machine system mirror image file corresponding to the file type and / or an application program copyright incremental snapshot corresponding to the file to be detected; loading the virtual machine system mirror image file and / or the incremental snapshot by means of virtual machine software to generate a virtual machine instance, and operating the file to be detected on the virtual machine instance; detecting the operation state of the virtual machine instance, and analyzing whether the file to be detected includes viruses. The virus detection method and device have the advantage of being capable of carrying out virus detection on multiple copyright application programs on the same virtual machine system mirror image file.
Description
Technical field
The present invention relates to computer realm, further relate to Intel Virtualization Technology, more particularly, to a kind of method for detecting virus and device.
Background technology
With the continuous development of computer technology, virus has been no longer limited in the executable file of exe form,
html(Hypertext Markup Language, HTML)、pdf(Portable Document Format,
Portable Document format)、swf(Shock wave Flash, the file format of animation software)Deng in the document of form all
There may be.Because viral form is complicated and has certain dynamic characteristic, therefore to viral detection mode gradually by traditional
Condition code technology turns to virtual execution technology.
Because viral triggering depends on specific software version, for example some viruses can only act on Internet
Explorer6 browser or specific Adobe Reader(Pdf reader)Version, the software patch installing to this version or renewal
After version, this viroid just no longer triggers.Simultaneously as the operating system version of client and Software Edition cannot be entered
Row is it is assumed that therefore in order to analyze virus in the operation action in different software versions it will usually install different versions in virtual machine
This application software, such as browser, Adobe Reader etc..But there is problems with this detection mode:Same software
Different editions may not and be deposited, and the software of a large amount of different editions is likely to interfere with each other.
Content of the invention
In consideration of it, being necessary to provide a kind of method for detecting virus and device, can not be for difference to solve same virtual machine
The application software of version carries out the problem of Viral diagnosis.
The embodiment of the invention discloses a kind of method for detecting virus, comprise the following steps:
Identify the file type of file to be detected;
According to described file type, call described file type corresponding dummy machine system image file and/or described treat
The incremental snapshot of the detection corresponding application version of file;
Load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate virtual machine instance,
And described file to be detected is run on virtual machine instance;
Detect the running status of described virtual machine instance, analyze whether described file to be detected comprises virus.
Preferably, the incremental snapshot of described application version includes the corresponding increasing of at least one version of described application program
Amount snapshot.
Preferably, described utilization software virtual machine loads described dummy machine system image file and incremental snapshot, generates empty
Plan machine example, and described file to be detected is run on virtual machine instance, including:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, it is fast that generation comprises described increment
Virtual machine instance according to the application version of mapping;
Using described virtual machine instance, open described file to be detected.
Preferably, the described file type identifying file to be detected, also includes before:
Configure each operating system corresponding described dummy machine system image file respectively, according to the described virtual machine system of configuration
System image file, generates virtual machine instance using software virtual machine, and corresponding virtual in described dummy machine system image file
The application program of default version is installed on machine example, generates incremental snapshot and store.
Preferably, whether the described file to be detected of described analysis comprises virus, including:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operation system needed for described virus outburst
Application version needed for system and/or described virus outburst.
The embodiment of the present invention is also disclosed a kind of Viral diagnosis device, including:
Type identification module, for identifying the file type of file to be detected;
Virtual machine image and incremental snapshot calling module, for according to described file type, calling described file type pair
The dummy machine system image file answered and/or the incremental snapshot of the corresponding application version of described file to be detected;
Virtual operation module, for fast using the software virtual machine described dummy machine system image file of loading and/or increment
According to, generation virtual machine instance, and described file to be detected is run on virtual machine instance;
Whether anti-viral detection module, for detecting the running status of described virtual machine instance, analyze described file to be detected
Comprise virus.
Preferably, the incremental snapshot of described application version includes the corresponding increasing of at least one version of described application program
Amount snapshot.
Preferably, described virtual operation module is additionally operable to:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, it is fast that generation comprises described increment
Virtual machine instance according to the application version of mapping;
Using described virtual machine instance, open described file to be detected.
Preferably, described Viral diagnosis device also includes:
Incremental snapshot configuration module, for configuring each operating system corresponding described dummy machine system image file respectively,
According to the described dummy machine system image file of configuration, generate virtual machine instance using software virtual machine, and in described virtual machine
The application program of default version is installed on the corresponding virtual machine instance of system image file, generates incremental snapshot and store.
Preferably, described anti-viral detection module is additionally operable to:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operation system needed for described virus outburst
Application version needed for system and/or described virus outburst.
The embodiment of the present invention identifies the file type of file to be detected;According to described file type, call described files classes
Type corresponding dummy machine system image file;Meanwhile, call the increment of the corresponding application version of described file to be detected fast
According to;Load described dummy machine system image file using software virtual machine and/or incremental snapshot generates virtual machine instance, and in institute
State and described file to be detected is run on virtual machine instance;Detect the running status of described virtual machine instance, analysis is described to be detected
Whether file comprises virus;Compared in prior art, by installing the application software of different editions in virtual machine to file
The method carrying out Viral diagnosis, the embodiment of the present invention has on same dummy machine system image file, for multi version application
Program all can carry out the beneficial effect of Viral diagnosis;Further, due to different editions can be configured for same virtual machine
Application program incremental snapshot, therefore reduces disk storage space, has saved carrying cost, also improves detecting system simultaneously
Scalability.
Brief description
Fig. 1 is method for detecting virus first embodiment schematic flow sheet of the present invention;
Fig. 2 is method for detecting virus second embodiment schematic flow sheet of the present invention;
Fig. 3 is Viral diagnosis device first embodiment high-level schematic functional block diagram of the present invention;
Fig. 4 is Viral diagnosis device second embodiment high-level schematic functional block diagram of the present invention.
The realization of embodiment of the present invention purpose, functional characteristics and advantage will be done furtherly in conjunction with the embodiments referring to the drawings
Bright.
Specific embodiment
Further illustrate technical scheme below in conjunction with Figure of description and specific embodiment.It should be appreciated that this
The described specific embodiment in place, only in order to explain the present invention, is not intended to limit the present invention.
Fig. 1 is method for detecting virus first embodiment schematic flow sheet of the present invention;As shown in figure 1, Viral diagnosis of the present invention
Method comprises the following steps:
Step S01, the file type of identification file to be detected;
System receives the file to be detected of user's transmission, or system voluntarily grabs corresponding data and need to carry out virus
During detection, the file type of system identification file to be detected;Such as, identify that whether this file to be detected is exe file, is whether
The file types such as pdf file.
Step S02, according to described file type, call described file type corresponding dummy machine system image file and/
Or the incremental snapshot of the corresponding application version of described file to be detected;
The file type of the file to be detected according to identification for the system, calls from data base that this document type is corresponding to deposit
The dummy machine system image file of storage;In the embodiment of the present invention, described dummy machine system image file can be understood as one kind and deposits
Contain whole virtual machine state(Including information such as disk, internal memories)Persistency wave file, dummy machine system image file lead to
The memory space often taking is larger, and such as windows XP system image file typically constitutes from the memory space with several GB.
Such as, the file type that system identification goes out this file to be detected is exe file, then analyze the operation of this exe file
Environment is 32 or 64 running environment, and according to call by result running environment corresponding dummy machine system image file.When
When the file type identifying file to be detected is for exe file or other kinds of executable program corresponding file, due to this
File to be detected does not need to can perform by other third party applications, and therefore system need not obtain this file pair to be detected
The incremental snapshot of the application version answered, system only obtains the dummy machine system corresponding to the file type of this file to be detected
Image file, the operating system being provided using this dummy machine system image file, you can execute this file to be detected.
When system identification goes out the file type of this file to be detected need to can by other or third party application
During the file of execution, while system obtains the dummy machine system image file corresponding to the file type of this file to be detected,
System calls the incremental snapshot of the application version of this file to be detected.
In the embodiment of the present invention, described other or third party application include but is not limited to reader, browser, literary composition
The application programs such as shelves editing machine.
In the embodiment of the present invention, the incremental snapshot of described application version can be understood as:Based on single virtual machine system
The modification of system image file all writes in incremental snapshot file, without affecting original dummy machine system image file;And
The incremental snapshot of multiple time points can be created based on identical dummy machine system image file, multiple system mends are such as installed
When, incremental snapshot can be made for the recovery in each stage.Under normal circumstances, incremental snapshot file will be far smaller than virtual machine system
System image file, such as between the snapshot document size normally about 10MB~40MB of software virtual machine QEMU, and dummy machine system
The memory space that image file takies then up to number GB, the therefore embodiment of the present invention can also be greatlyd save using incremental snapshot and deposit
Storage space.
In the preferred embodiment of the present invention, system is according to the file type of file to be detected and actually detected need
Will, the incremental snapshot of the corresponding application version of file to be detected that can disposably call includes:Described application program is extremely
The corresponding incremental snapshot of a few version, and/or the corresponding incremental snapshot of all versions that at least one application program is commonly used.Than
As for pdf document, system calls reader Adobe Reader8.0 and Adobe Reader9.0, and corresponding increment is fast respectively
According to;Such as word document, system can call word2003, word2007, word2013, WPS2003, WPS2007,
The corresponding incremental snapshot of the application programs such as WPS2010, WPS2013.
Step S03, load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate empty
Plan machine example, and described file to be detected is run on described virtual machine instance;
When system is according to the file type such as exe executable file of file to be detected, only have invoked this document type pair
During the dummy machine system image file answered, the operating system that system is provided based on the dummy machine system image file calling, in void
This file to be detected of virtual execution on plan machine.In the embodiment of the present invention, described virtual execution can be understood as:By simulation code
The behavior to detect code for the performing environment.
When system is according to the file type of file to be detected, call this document type corresponding dummy machine system image file
And the corresponding application version of this file to be detected incremental snapshot when, system loads described virtual on software virtual machine
Machine system image file and described incremental snapshot, generate the virtual machine comprising the corresponding application version of described incremental snapshot real
Example;Using described virtual machine instance, system opens described file to be detected.
Dummy machine system mirror image described in the embodiment of the present invention and incremental snapshot form are all with the literary composition of software virtual machine QEMU
It is described as a example part form qcow2, embodiment of the present invention method for detecting virus and device are to software virtual machine, dummy machine system
The concrete form of mirror image and incremental snapshot does not limit.
Such as, when file to be detected is word document, system, according to the file type of word document, calls virtual machine system
System image file is windows-XP.qcow2, calls the incremental snapshot of the corresponding application version of this word document simultaneously
Word2003.qcow2, word2007.qcow2 and word2013.qcow2;Corresponded to based on the windows-XP.qcow2 calling
Operating system windows-XP, system start-up incremental snapshot word2003.qcow2, word2007.qcow2 and
Word2013.qcow2, generate comprise described incremental snapshot word2003.qcow2, word2007.qcow2 and
The virtual machine instance of the application version of word2013.qcow2 mapping, such as word2003, word2007 and word2013 this 3
Individual virtual machine instance;Using this 3 virtual machine instance of above-mentioned word2003, word2007 and word2013, open to be detected
Suspicious word document.
Step S04, the running status of the described virtual machine instance of detection, analyze whether described file to be detected comprises virus.
The running status of system detectio virtual machine instance, according to the running status of virtual machine instance, analyzes file to be detected
Whether comprise virus.Such as, system scans virtual machine and runs the memory headroom of process with the presence or absence of flooding code;If existing described
Flooding code, then identify that described file to be detected comprises virus.Or:System detectio virtual machine whether there is internal memory and overflows now
As;If there is internal memory spillover, identify that described file to be detected comprises virus.Or:Whether system detectio virtual machine is deposited
Behavior in modification critical system file or crucial registry entry;If there is modification critical system file or crucial registration table
The behavior of item, then identify that described file to be detected comprises virus.Or:The parameter of the Key Functions of system detectio virtual machine call
Whether legal;If the parameter of the described Key Functions calling is illegal, identify that described file to be detected comprises virus, etc. inspection
Survey mode.Above-mentioned detection mode can be independently operated, and can also be used in combination.System can also integrated virtual machine run when each
Plant and can be associated analyzing with feature, such as detected after internal memory overflow problem using internal memory stain analytical technology, system is right again
Suspicious region of memory carries out shellcode(Flooding code)Scanning, thus be associated analyzing.Certainly, systematic analysiss are to be detected
Whether file comprises virus is not limited only to the above-mentioned analysis mode enumerated, and the embodiment of the present invention does not carry out poor one by one to it
Lift.
In the preferred embodiment of the present invention, during the comprised virus of file to be detected described in systematic analysiss, system also can
Enough obtain the malicious act of described virus, and needed for the operating system needed for described virus outburst and/or described virus outburst
Application version.
The embodiment of the present invention is taken virtual machine incremental snapshot technology to carry out Viral diagnosis and be can reach following beneficial effect:
(1), misdetection rate low:Using the incremental snapshot of various software version, apocrypha can be analyzed in various software version
Operation conditions is low to the viral misdetection rate depending on particular version;
(2), storage take few:Incremental snapshot is much smaller than dummy machine system image file, and because by incremental snapshot shape
Formula is realized multi version and is deposited, and relatively same virtual machine installs different software versions, does not result in software version interference, saves and deposit
Storage space;
(3), favorable expandability:If desired for the new application software of increase or system mend it is only necessary to be based on original virtual machine
After system image installs new application software or system mend, make incremental snapshot, and be added in virtual machine snapshot storehouse.By
In can quickly realize the expansion to new software version, it is beneficial to the detection that virus such as 0day is attacked.
Fig. 2 is method for detecting virus second embodiment schematic flow sheet of the present invention;The embodiment of the present invention is implemented with described in Fig. 1
The difference of example is, in the embodiment of the present invention, system, before Virus Sample is detected, arranges dummy machine system mirror image first
File and the incremental snapshot of corresponding application version, ready for subsequently carrying out Virus Sample detection.
Based on the description of embodiment described in Fig. 1, as shown in Fig. 2 method for detecting virus of the present invention is treated in step S01, identification
The file type of detection file, also includes before:
Step S10, each operating system of configuration corresponding described dummy machine system image file respectively, according to configuration
Dummy machine system image file, generates virtual machine instance using software virtual machine, and in described dummy machine system image file pair
The application program of default version is installed on the virtual machine instance answered, generates incremental snapshot and store.
The embodiment of the present invention is only described to step S10, other steps involved by relevant method for detecting virus of the present invention
Suddenly refer to the specific descriptions of related embodiment, will not be described here.
As shown in Fig. 2 in the embodiment of the present invention, system configures each operating system first and is distinguished corresponding dummy machine system
Image file, such as the configuration corresponding dummy machine system image file of windows XP operating system are windows-
XP.qcow2, configuration windows7 operating system corresponding dummy machine system image file is windows-7.qcow2 etc..System
Each operating system corresponding dummy machine system image file of configuration is the dummy machine system image file of pure version, i.e. this void
The corresponding operating system of plan machine system image file in addition to application program necessary to system operation, do not include other any
Tripartite's application program.After configuring dummy machine system image file, start dummy machine system image file, using software virtual machine
Generate virtual machine instance, and in the corresponding virtual machine instance of dummy machine system image file starting, corresponding application journey is installed
Sequence and the different editions of each application program, the increment generating this corresponding application version of dummy machine system image file is fast
According to and store, form corresponding dummy machine system image file storehouse and incremental snapshot storehouse, during for Viral diagnosis, system is according to be checked
Survey the file type of file and file to be detected, call corresponding dummy machine system image file and/or incremental snapshot.
So that the incremental snapshot of Adobe Reader version is generated on Windows XP system as a example, to describe the present invention and to implement
The implementation process of example.
The operating system dummy machine system image file windows-XP.qcow2 of one pure version of system configuration, configures
Cheng Hou, starts dummy machine system image file, and the running environment being provided based on the dummy machine system image file starting, in this fortune
Adobe Reader8.0 is installed under row environment, generates the corresponding incremental snapshot of Adobe Reader8.0 for virtual machine simultaneously,
During this of generation incremental snapshot, the described dummy machine system image file of configuration does not have any change.System stores
The above-mentioned incremental snapshot generating is adobe-reader-8.qcow2;Same method, system installs Adobe Reader9.0,
Generate the corresponding incremental snapshot of Adobe Reader9.0, the above-mentioned incremental snapshot that system storage generates is adobe-reader-
9.qcow2.
The embodiment of the present invention configuration dummy machine system image file and corresponding incremental snapshot of application version, for follow-up
System detectio file to be detected provides the dummy machine system image file data base that can call and incremental snapshot data base.
Fig. 3 is Viral diagnosis device first embodiment high-level schematic functional block diagram of the present invention;As shown in figure 3, the present invention is viral
Detection means includes:Type identification module 01, virtual machine image and incremental snapshot calling module 02, virtual operation module 03 and disease
Malicious detection module 04.
Type identification module 01, for identifying the file type of file to be detected;
System receives the file to be detected of user's transmission, or system voluntarily grabs corresponding data and need to carry out virus
During detection, type identification module 01 identifies the file type of file to be detected;Such as, type identification module 01 identifies that this is to be detected
Whether whether file be exe file, be the file types such as pdf file.
Virtual machine image and incremental snapshot calling module 02, for according to described file type, calling described file type
Corresponding dummy machine system image file and/or the incremental snapshot of the corresponding application version of described file to be detected;
The literary composition of the file to be detected that virtual machine image and incremental snapshot calling module 02 identify according to type identification module 01
Part type, calls the dummy machine system image file of the corresponding storage of this document type from data base;The embodiment of the present invention
In, described dummy machine system image file can be understood as one kind and is stored with whole virtual machine state(Including the letter such as disk, internal memory
Breath)Persistency wave file, the memory space that dummy machine system image file generally takes up is larger, such as windows XP system
System image file typically constitutes from the memory space with several GB.
Such as, type identification module 01 identify this file to be detected file type be exe file, virtual machine image and
The running environment that incremental snapshot calling module 02 analyzes this exe file is 32 or 64 running environment, and is adjusted according to result
With running environment corresponding dummy machine system image file.When the file type that type identification module 01 identifies file to be detected is
When exe file or the corresponding file of other kinds of executable program, due to this file to be detected do not need by other
Tripartite's application program can perform, and therefore virtual machine image and incremental snapshot calling module 02 need not obtain this file pair to be detected
The incremental snapshot of the application version answered, virtual machine image and incremental snapshot calling module 02 only obtain this file to be detected
Dummy machine system image file corresponding to file type, the operation system being provided using this dummy machine system image file
System, you can execute this file to be detected.
When type identification module 01 identifies that the file type of this file to be detected need to be by other or third-party application
During the file that program can execute, the files classes of virtual machine image and incremental snapshot calling module 02 this file to be detected of acquisition
While dummy machine system image file corresponding to type, virtual machine image and incremental snapshot calling module 02 call this to be detected
The incremental snapshot of the application version of file.
In the embodiment of the present invention, described other or third party application include but is not limited to reader, browser, literary composition
The application programs such as shelves editing machine.
In the embodiment of the present invention, the incremental snapshot of described application version can be understood as:Based on single virtual machine system
The modification of system image file all writes in incremental snapshot file, without affecting original dummy machine system image file;And
The incremental snapshot of multiple time points can be created based on identical dummy machine system image file, multiple system mends are such as installed
When, incremental snapshot can be made for the recovery in each stage.Under normal circumstances, incremental snapshot file will be far smaller than virtual machine system
System image file, such as between the snapshot document of software virtual machine QEMU normally about 10MB~40MB, and dummy machine system mirror image
It is empty that the memory space that file takies then up to number GB, the therefore embodiment of the present invention can also greatly save storage using incremental snapshot
Between.
In the preferred embodiment of the present invention, virtual machine image and incremental snapshot calling module 02 are according to file to be detected
File type and actually detected needs, the increment of the corresponding application version of file to be detected that can disposably call
Snapshot includes:The corresponding incremental snapshot of at least one version of described application program, and/or the institute that at least one application program is commonly used
There is the corresponding incremental snapshot of version.Such as, for pdf document, virtual machine image and incremental snapshot calling module 02 call reading
Device Adobe Reader8.0 and Adobe Reader9.0 corresponding incremental snapshot respectively;Such as word document, virtual machine
Mirror image and incremental snapshot calling module 02 can call word2003, word2007, word2013, WPS2003, WPS2007,
The corresponding incremental snapshot of the application programs such as WPS2010, WPS2013.
Virtual operation module 03, for loading described dummy machine system image file and/or increment using software virtual machine
Snapshot generates virtual machine instance, and runs described file to be detected in described virtual machine instance;
When virtual machine image and incremental snapshot calling module 02 can perform according to the file type such as exe of file to be detected
File, when only have invoked this document type corresponding dummy machine system image file, virtual operation module 03 is based on the void called
The operating system that plan machine system image file provides, this file to be detected of virtual execution on a virtual machine.In the embodiment of the present invention,
Described virtual execution can be understood as:Detect the behavior of code by the performing environment of simulation code.
When virtual machine image and incremental snapshot calling module 02 are according to the file type of file to be detected, call this document class
During the incremental snapshot of type corresponding dummy machine system image file and the corresponding application version of this file to be detected, virtual
Run module 03 and described dummy machine system image file and described incremental snapshot are loaded on software virtual machine, generate described in comprising
The virtual machine instance of the corresponding application version of incremental snapshot;Using described virtual machine instance, virtual operation module 03 is opened
Described file to be detected.
Dummy machine system mirror image described in the embodiment of the present invention and incremental snapshot form are all with the literary composition of software virtual machine QEMU
It is described as a example part form qcow2, embodiment of the present invention method for detecting virus and device are to software virtual machine, dummy machine system
The concrete form of mirror image and incremental snapshot does not limit.
Such as, when type identification module 01 identifies that file to be detected is word document, virtual machine image and incremental snapshot
Calling module 02, according to the file type of word document, calls dummy machine system image file to be windows-XP.qcow2, with
When call the corresponding application version of this word document incremental snapshot word2003.qcow2, word2007.qcow2 and
word2013.qcow2;Based on corresponding operating system windows-XP of the windows-XP.qcow2 calling, virtual operation mould
Block 03 starts incremental snapshot word2003.qcow2, word2007.qcow2 and word2013.qcow2, generates and comprises described increasing
The virtual machine of the application version of amount snapshot word2003.qcow2, word2007.qcow2 and word2013.qcow2 mapping
Example, such as this 3 virtual machine instance of word2003, word2007 and word2013;Using above-mentioned word2003, word2007 and
This 3 virtual machine instance of word2013, virtual operation module 03 opens suspicious word document to be detected.
Anti-viral detection module 04, for detecting the running status of described virtual machine instance, analyzing described file to be detected is
No comprise virus.
Anti-viral detection module 04 detects the running status of virtual machine instance, according to the running status of virtual machine instance, analyzes
Whether file to be detected comprises virus.Such as, whether the memory headroom of anti-viral detection module 04 scanning virtual machine operation process is deposited
In flooding code;If there is described flooding code, identify that described file to be detected comprises virus.Or:Anti-viral detection module
04 detection virtual machine whether there is internal memory spillover;If there is internal memory spillover, identify that described file to be detected comprises
Virus.Or:Anti-viral detection module 04 detects that virtual machine whether there is modification critical system file or crucial registry entry
Behavior;If there is modification critical system file or the behavior of crucial registry entry, identify that described file to be detected comprises disease
Poison.Or:Anti-viral detection module 04 detects whether the parameter of the Key Functions of virtual machine call is legal;If the described key called
The parameter of function is illegal, then identify that described file to be detected comprises virus, etc. detection mode.Above-mentioned detection mode can be only
Stand using it is also possible to be used in combination.Anti-viral detection module 04 can also integrated virtual machine various can be carried out with feature when running
Association analysiss, such as detect after internal memory overflow problem using internal memory stain analytical technology, anti-viral detection module 04 is again to suspicious
Region of memory carries out shellcode scanning, thus being associated analyzing.Certainly, anti-viral detection module 04 analyzes file to be detected
Whether comprise virus and be not limited only to the above-mentioned analysis mode enumerated, the embodiment of the present invention does not carry out to it exhaustive one by one.
In the preferred embodiment of the present invention, anti-viral detection module 04 analyzes the comprised virus of described file to be detected
When, anti-viral detection module 04 also can obtain the malicious act of described virus, and the operating system needed for described virus outburst
And/or the application version needed for described virus outburst.
The embodiment of the present invention is taken virtual machine incremental snapshot technology to carry out Viral diagnosis and be can reach following beneficial effect:
(1), misdetection rate low:Using the incremental snapshot of various software version, apocrypha can be analyzed in various software version
Operation conditions is low to the viral misdetection rate depending on particular version;
(2), storage take few:Incremental snapshot is much smaller than dummy machine system image file, and because by incremental snapshot shape
Formula is realized multi version and is deposited, and relatively same virtual machine installs different software versions, does not result in software version interference, saves and deposit
Storage space;
(3), favorable expandability:If desired for the new application software of increase or system mend it is only necessary to be based on original virtual machine
After system image installs new application software or system mend, make incremental snapshot, and be added in virtual machine snapshot storehouse.By
In can quickly realize the expansion to new software version, it is beneficial to the detection that virus such as 0day is attacked.
Fig. 4 is Viral diagnosis device second embodiment high-level schematic functional block diagram of the present invention.Described in the embodiment of the present invention and Fig. 3
The difference of embodiment is, in the embodiment of the present invention, Viral diagnosis device, before Virus Sample is detected, arranges empty first
Plan machine system image file and the incremental snapshot of corresponding application version, carry out standard for subsequently carrying out Virus Sample detection
Standby.
Based on the description of embodiment described in Fig. 3, as shown in figure 4, Viral diagnosis device of the present invention also includes:
Incremental snapshot configuration module 05, for configuring each operating system corresponding described dummy machine system mirror image literary composition respectively
Part, according to the described dummy machine system image file of configuration, generates virtual machine instance using software virtual machine, and described virtual
The application program of default version is installed on the corresponding virtual machine instance of machine system image file, generates incremental snapshot and store.
The embodiment of the present invention is only described to incremental snapshot configuration module 05, involved by relevant Viral diagnosis device of the present invention
And other modules refer to the specific descriptions of related embodiment, will not be described here.
As shown in figure 4, in the embodiment of the present invention, it is right respectively that incremental snapshot configuration module 05 configures each operating system institute first
The dummy machine system image file answered, such as configuring the corresponding dummy machine system image file of windows XP operating system is
Windows-XP.qcow2, configuration windows7 operating system corresponding dummy machine system image file is windows-
7.qcow2 etc..Each operating system corresponding dummy machine system image file of incremental snapshot configuration module 05 configuration is pure
Version dummy machine system image file, that is, this corresponding operating system of dummy machine system image file except system operation institute necessary
Application program outside, do not include other any third party applications.After configuring dummy machine system image file, incremental snapshot
Configuration module 05 starts dummy machine system image file, generates virtual machine instance using software virtual machine, and virtual start
Corresponding application program and the different editions of each application program are installed on the corresponding virtual machine instance of machine system image file, raw
Become the incremental snapshot of this corresponding application version of dummy machine system image file and store, form corresponding dummy machine system
Image file storehouse and incremental snapshot storehouse, during for Viral diagnosis, virtual machine image and incremental snapshot calling module 02 are according to be detected
File and the file type of file to be detected, call corresponding dummy machine system image file and/or incremental snapshot.
The incremental snapshot of Adobe Reader version is generated with incremental snapshot configuration module 05 on Windows XP system
As a example, the implementation process of the embodiment of the present invention to be described.
Incremental snapshot configuration module 05 configures the operating system dummy machine system image file windows- of a pure version
XP.qcow2, after the completion of configuration, incremental snapshot configuration module 05 starts dummy machine system image file, based on the virtual machine starting
The running environment that system image file provides, installs Adobe Reader8.0, simultaneously incremental snapshot configuration under this running environment
Module 05 generates the corresponding incremental snapshot of Adobe Reader8.0 for virtual machine, during generating this of incremental snapshot, increases
The described dummy machine system image file of amount snapshot configuration module 05 configuration does not have any change.Incremental snapshot configuration module 05
The above-mentioned incremental snapshot that storage generates is adobe-reader-8.qcow2;Same method, incremental snapshot configuration module 05 is pacified
Dress Adobe Reader9.0, generates the corresponding incremental snapshot of Adobe Reader9.0, incremental snapshot configuration module 05 storage life
The above-mentioned incremental snapshot becoming is adobe-reader-9.qcow2.
The embodiment of the present invention configuration dummy machine system image file and corresponding incremental snapshot of application version, for follow-up
System detectio file to be detected provides the dummy machine system image file data base that can call and incremental snapshot data base.
It should be noted that herein, term " inclusion ", "comprising" or its any other variant are intended to non-row
The comprising of his property, so that including a series of process of key elements, method, article or device not only include those key elements, and
And also include other key elements of being not expressly set out, or also include intrinsic for this process, method, article or device institute
Key element.In the absence of more restrictions, the key element being limited by sentence "including a ..." is it is not excluded that including being somebody's turn to do
Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by the mode of software plus necessary general hardware platform naturally it is also possible to pass through hardware, but in many cases
The former is more preferably embodiment.Based on such understanding, technical scheme is substantially done to prior art in other words
Go out partly can embodying in the form of software product of contribution, this computer software product is stored in a storage medium
(As ROM/RAM, magnetic disc, CD)In, including some instructions with so that a station terminal equipment(Can be mobile phone, computer, clothes
Business device, or the network equipment etc.)Method described in execution each embodiment of the present invention.
The foregoing is only the preferred embodiments of the present invention, not thereby limit its scope of the claims, every utilization present invention
Equivalent structure or equivalent flow conversion that description and accompanying drawing content are made, are directly or indirectly used in other related technology necks
Domain, is included within the scope of the present invention.
Claims (10)
1. a kind of method for detecting virus is it is characterised in that comprise the following steps:
Identify the file type of file to be detected;
According to described file type, call described file type corresponding dummy machine system image file and/or described to be detected
The incremental snapshot of the corresponding application version of file;
Load described dummy machine system image file and/or incremental snapshot using software virtual machine, generate virtual machine instance, and
Described file to be detected is run on described virtual machine instance;
Detect the running status of described virtual machine instance, analyze whether described file to be detected comprises virus.
2. the method for claim 1 is it is characterised in that the incremental snapshot of described application version includes described application
The corresponding incremental snapshot of at least one version of program.
3. the method for claim 1 is it is characterised in that load described dummy machine system mirror image literary composition using software virtual machine
Part and incremental snapshot, generate virtual machine instance, and run described file to be detected in described virtual machine instance, including:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, generation comprises described incremental snapshot and reflects
The virtual machine instance of the application version penetrated;
Using described virtual machine instance, open described file to be detected.
4. the method for claim 1, it is characterised in that the file type of described identification file to be detected, is also wrapped before
Include:
Configure each operating system corresponding described dummy machine system image file respectively, according to the described dummy machine system mirror of configuration
As file, generate virtual machine instance using software virtual machine, and real in the corresponding virtual machine of described dummy machine system image file
The application program of default version is installed on example, generates incremental snapshot and store.
5. the method as described in any one of claim 1-4 is it is characterised in that whether file to be detected as described in described analysis comprises
Virus, including:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operating system needed for described virus outburst
And/or the application version needed for described virus outburst.
6. a kind of Viral diagnosis device is it is characterised in that include:
Type identification module, for identifying the file type of file to be detected;
Virtual machine image and incremental snapshot calling module, corresponding for according to described file type, calling described file type
Dummy machine system image file and/or the incremental snapshot of the corresponding application version of described file to be detected;
Virtual operation module, for loading described dummy machine system image file and/or incremental snapshot using software virtual machine, raw
Become virtual machine instance, and described file to be detected is run on described virtual machine instance;
Anti-viral detection module, for detecting the running status of described virtual machine instance, analyzes whether described file to be detected comprises
Virus.
7. device as claimed in claim 6 is it is characterised in that the incremental snapshot of described application version includes described application
The corresponding incremental snapshot of at least one version of program.
8. device as claimed in claim 6 is it is characterised in that described virtual operation module is additionally operable to:
The described dummy machine system image file calling is run on software virtual machine;
Based on the described dummy machine system image file running, load described incremental snapshot, generation comprises described incremental snapshot and reflects
The virtual machine instance of the application version penetrated;
Using described virtual machine instance, open described file to be detected.
9. device as claimed in claim 6 is it is characterised in that also include:
Incremental snapshot configuration module, for configuring each operating system corresponding described dummy machine system image file respectively, according to
The described dummy machine system image file of configuration, generates virtual machine instance using software virtual machine, and in described dummy machine system
The application program of default version is installed on the corresponding virtual machine instance of image file, generates incremental snapshot and store.
10. the device as described in any one of claim 6-9 is it is characterised in that described anti-viral detection module is additionally operable to:
Analyze the malicious act of the virus that described file to be detected is comprised, and the operating system needed for described virus outburst
And/or the application version needed for described virus outburst.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410012797.7A CN103778373B (en) | 2014-01-10 | 2014-01-10 | Virus detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410012797.7A CN103778373B (en) | 2014-01-10 | 2014-01-10 | Virus detection method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103778373A CN103778373A (en) | 2014-05-07 |
CN103778373B true CN103778373B (en) | 2017-02-08 |
Family
ID=50570597
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410012797.7A Active CN103778373B (en) | 2014-01-10 | 2014-01-10 | Virus detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103778373B (en) |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105701012B (en) * | 2015-12-30 | 2019-02-12 | Oppo广东移动通信有限公司 | A kind of parameter setting method and device |
CN107659540B (en) * | 2016-07-25 | 2021-01-26 | 中兴通讯股份有限公司 | Dynamic behavior analysis method, device, system and equipment |
CN106708598B (en) * | 2016-07-29 | 2021-03-19 | 腾讯科技(深圳)有限公司 | Virus analysis environment building method and device |
CN106778268A (en) * | 2016-11-28 | 2017-05-31 | 广东省信息安全测评中心 | Malicious code detecting method and system |
CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
CN106557355A (en) * | 2016-12-01 | 2017-04-05 | 北京奇虎科技有限公司 | The generation method and generating means of virtual machine image |
CN107346390A (en) * | 2017-07-04 | 2017-11-14 | 深信服科技股份有限公司 | A kind of malice sample testing method and device |
CN111027052A (en) * | 2019-01-31 | 2020-04-17 | 深圳市安之天信息技术有限公司 | Application program version-based virtual machine document discrimination method and device and storage equipment |
CN110737506A (en) * | 2019-09-10 | 2020-01-31 | 江苏中云科技有限公司 | virtual machine image version management method |
CN111966457B (en) * | 2020-08-10 | 2024-04-19 | 华中科技大学 | Malicious code detection method and system based on snapshot |
CN114996226B (en) * | 2021-11-05 | 2023-03-31 | 荣耀终端有限公司 | Icon detection method, electronic device, readable storage medium, and program product |
CN114282214B (en) * | 2021-12-17 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Virus checking and killing method and device and electronic equipment |
CN115329343B (en) * | 2022-08-23 | 2023-04-07 | 武汉能量云计算科技有限公司 | Method and system for processing information security loophole |
CN116502225B (en) * | 2023-06-20 | 2023-09-19 | 杭州海康威视数字技术股份有限公司 | Virus scanning method and device for self-adaptive packet redundancy arrangement and electronic equipment |
CN116680696B (en) * | 2023-08-04 | 2024-02-13 | 深圳市科力锐科技有限公司 | Virus program detection method, device and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
-
2014
- 2014-01-10 CN CN201410012797.7A patent/CN103778373B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101281571A (en) * | 2008-04-22 | 2008-10-08 | 白杰 | Method for defending unknown virus program |
CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
CN103150506A (en) * | 2013-02-17 | 2013-06-12 | 北京奇虎科技有限公司 | Method and device for detecting rogue program |
CN103150509A (en) * | 2013-03-15 | 2013-06-12 | 长沙文盾信息技术有限公司 | Virus detection system based on virtual execution |
Also Published As
Publication number | Publication date |
---|---|
CN103778373A (en) | 2014-05-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103778373B (en) | Virus detection method and device | |
CN104049986B (en) | plug-in loading method and device | |
US9117079B1 (en) | Multiple application versions in a single virtual machine | |
US7900202B2 (en) | Identification of software execution data | |
US20130117855A1 (en) | Apparatus for automatically inspecting security of applications and method thereof | |
CN100481101C (en) | Method for computer safety start | |
CN102254111A (en) | Malicious site detection method and device | |
CN103839003A (en) | Malicious file detection method and device | |
CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
CN102254113A (en) | Method and system for detecting and intercepting malicious code of mobile terminal | |
CN111737692B (en) | Application program risk detection method and device, equipment and storage medium | |
CN101364988A (en) | Method and apparatus determining webpage security | |
CA2674327C (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
CN108197476B (en) | Vulnerability detection method and device for intelligent terminal equipment | |
CN102467628A (en) | Method for protecting data based on browser kernel intercept technology | |
CN112256296A (en) | Express delivery service APP updating method, device, equipment and storage medium based on Weex | |
CN107808096A (en) | Method, terminal device and the storage medium of malicious code are injected into during detection APK operations | |
CN112738094A (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
CN108229168B (en) | Heuristic detection method, system and storage medium for nested files | |
US8418170B2 (en) | Method and system for assessing deployment and un-deployment of software installations | |
US8006242B2 (en) | Identification of software configuration data | |
JP2010134536A (en) | Pattern file update system, pattern file update method, and pattern file update program | |
CN116451271A (en) | Automatic privacy policy extraction method for application software | |
Zhan et al. | Splitting third-party libraries’ privileges from android apps | |
CN114491528A (en) | Malicious software detection method, device and equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address |
Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SINFOR Polytron Technologies Inc Address before: 518052 room 410-413, science and technology innovation service center, No. 1 Qilin Road, Shenzhen, Guangdong, China Patentee before: Shenxinfu Electronics Science and Technology Co., Ltd., Shenzhen |
|
CP03 | Change of name, title or address |