CN115510484A - Safety protection method, device, equipment and computer readable storage medium - Google Patents

Safety protection method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN115510484A
CN115510484A CN202211185494.6A CN202211185494A CN115510484A CN 115510484 A CN115510484 A CN 115510484A CN 202211185494 A CN202211185494 A CN 202211185494A CN 115510484 A CN115510484 A CN 115510484A
Authority
CN
China
Prior art keywords
target file
file
detection
detection result
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211185494.6A
Other languages
Chinese (zh)
Inventor
周柏祥
陈岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202211185494.6A priority Critical patent/CN115510484A/en
Publication of CN115510484A publication Critical patent/CN115510484A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses a safety protection method, which comprises the following steps: receiving an operation request aiming at a target file; the operation request is used for acquiring a target file; performing security detection on the target file based on the operation request to obtain a first detection result; and under the condition that the first detection result represents that the target file is not invaded by the virus, executing the operation corresponding to the operation request on the target file. The embodiment of the application also discloses a safety protection device, equipment and a computer readable storage medium.

Description

Safety protection method, device, equipment and computer readable storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a security protection method, apparatus, device, and computer-readable storage medium.
Background
Files are generally stored in a file system, but the files in the file system are easily attacked from the outside, so that the files are damaged or invaded by viruses; in order to effectively protect files, an anti-virus server is deployed to detect the files in the file system at regular time so as to prevent the files from external attack. However, in the related art, if a file is invaded by a virus in the period from the last detection to the next detection, the file system is poisoned if the file is used, and the security is not high.
Disclosure of Invention
In order to solve the above technical problems, embodiments of the present application desirably provide a security protection method, apparatus, device and computer-readable storage medium, which solve the problem in the related art that once a file is invaded by a virus in a period from a last detection to a time before a next detection, if the file is used, the file system is poisoned, and thus the security of the file is improved.
The technical scheme of the application is realized as follows:
a method of safeguarding, the method comprising:
receiving an operation request aiming at a target file; the operation request is used for acquiring the target file;
performing security detection on the target file based on the operation request to obtain a first detection result;
and executing the operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by the virus.
In the above scheme, the method further comprises:
under the condition that the target file is determined to be updated, carrying out safety detection on the updated target file to obtain a second detection result;
and under the condition that the second detection result represents that the updated target file is not invaded by viruses, executing target operation on the updated target file.
In the foregoing solution, the performing security detection on the target file based on the operation request to obtain the first detection result includes:
determining whether the target file is subjected to security detection or not based on the operation request;
and under the condition that the target file is determined not to be subjected to security detection, performing security detection on the target file based on the operation request to obtain the first detection result.
In the foregoing solution, the performing security detection includes:
and carrying out security detection on the target file or the updated target file by adopting a target process based on intelligent application in a file system.
In the foregoing solution, the performing, by using the target process, security detection on the target file or the updated target file based on an intelligent application in an idle state in a file system includes:
sending a detection request to the intelligent application through the target process;
receiving and storing the first detection result or the second detection result sent by the intelligent application through the target process; and the first detection result and the second detection result are obtained after the intelligent application carries out safety detection on the target file and the updated target file.
In the above scheme, the method further comprises:
under the condition that the first detection result represents that the target file is invaded by viruses, a first prompt message is sent to a client; the first prompt message is used for prompting that the target file is invaded by a virus;
under the condition that the second detection result represents that the updated target file is invaded by viruses, sending a second prompt message to the client; and the second prompt message is used for prompting that the updated target file is invaded by virus.
In the above scheme, the intelligent application is deployed in the form of a container in the server of the file system.
A safety shield apparatus, the apparatus comprising:
a receiving unit configured to receive an operation request for a target file; the operation request is used for acquiring the target file;
the detection unit is used for carrying out safety detection on the target file based on the operation request to obtain a first detection result;
and the processing unit is used for executing the operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by the virus.
In the above scheme, the detection unit is further configured to perform security detection on the updated target file to obtain a second detection result when it is determined that the target file is updated;
the processing unit is further configured to execute a target operation on the updated target file when the second detection result indicates that the updated target file is not invaded by a virus.
In the above solution, the detecting unit is further configured to determine whether the target file has been subjected to security detection based on the operation request;
the detection unit is further configured to, when it is determined that the target file has not been subjected to security detection, perform security detection on the target file based on the operation request, and obtain the first detection result.
In the above scheme, the detection unit is further configured to perform security detection on the target file or the updated target file based on an intelligent application in a file system by using a target process.
In the above scheme, the detection unit is further configured to send a detection request to the intelligent application through the target process;
the detection unit is further configured to receive and store the first detection result or the second detection result sent by the intelligent application through the target process; and the first detection result and the second detection result are obtained after the intelligent application carries out safety detection on the target file and the updated target file.
In the above solution, the processing unit is further configured to send a first prompt message to the client when the first detection result indicates that the target file is invaded by a virus; the first prompt message is used for prompting that the target file is invaded by a virus;
the processing unit is further configured to send a second prompt message to the client when the second detection result indicates that the updated target file is invaded by a virus; and the second prompt message is used for prompting that the updated target file is invaded by virus.
In the above scheme, the intelligent application is deployed in the form of a container in the server of the file system.
A safety shield apparatus, the apparatus comprising: a processor, a memory, and a communication bus;
the communication bus is used for realizing communication connection between the processor and the memory;
the processor is used for executing the safety protection program in the memory so as to realize the steps of the safety protection method.
A computer readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement the steps of the above-described security protection method.
The security protection method, the security protection device, the security protection equipment and the computer-readable storage medium provided by the embodiment of the application can receive an operation request for a target file, perform security detection on the target file based on the operation request to obtain a first detection result, and execute operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by viruses, so that the target file is subjected to security detection each time before the target file is obtained, and corresponding operation is executed on the target file after the target file is determined not to be invaded by viruses, thereby greatly protecting the security of a file system and a client, preventing the client and the file system from being poisoned after the file is invaded by the viruses, solving the problem that once the file is invaded by the viruses within the period of time from last detection to next detection in the related technology, the file system is poisoned if the file is used, and improving the security of the file.
Drawings
Fig. 1 is a schematic flow chart of a safety protection method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of another security protection method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of processing a file in a security protection method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another safety protection method provided in the embodiment of the present application;
FIG. 5 is a schematic flow chart of a security protection method according to another embodiment of the present application;
FIG. 6 is a schematic flow chart diagram illustrating another security method according to another embodiment of the present application;
FIG. 7 is a schematic structural view of a safety shield apparatus according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a safety device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
It should be appreciated that reference throughout this specification to "an embodiment of the present application" or "an embodiment described previously" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrase "in an embodiment of the present application" or "in the foregoing embodiment" appearing in various places throughout the specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In a case where no specific description is given, the electronic device may execute any step in the embodiments of the present application, and the processor of the electronic device may execute the step. It should also be noted that the embodiment of the present application does not limit the sequence of the steps executed by the electronic device. In addition, the data may be processed in the same way or in different ways in different embodiments. It should be further noted that any step in the embodiments of the present application may be executed by the electronic device independently, that is, when the electronic device executes any step in the following embodiments, the electronic device may not depend on the execution of other steps.
It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
An embodiment of the present application provides a security protection method, which may be applied to a server of a file system, and as shown in fig. 1, the method includes the following steps:
step 101, receiving an operation request for a target file.
The operation request is used for acquiring the target file.
In this embodiment of the present application, the File System may be a Common Internet File System (CIFS), and may be formed by an Enterprise distributed storage service (EDS) cluster, where the EDS cluster may include multiple servers, and the multiple servers may communicate with a client through a Server Message Block (SMB). The SMB protocol may enable all devices on the same network to share resources such as files, printers, serial ports, and communications, and may also provide authenticated interprocess communication functionality. The method is mainly used on machines provided with Microsoft Windows, and the machines are called Microsoft Windows networks. A bridge can be built between the Windows operating system and the UNIX operating system by using Samba software, so that the resources of the Windows operating system and the UNIX operating system can be shared with each other, and generally, clients are provided with Samba software and interact with servers in the file system. Compared with the Network File System (NFS) with similar functions, the message format of NFS is a fixed length, while the message format of CIFS is mostly a variable length, which increases the complexity of the protocol. CIFS messages are typically sent using the Network Basic Input/Output System (NetBIOS) or the Transmission Control Protocol (TCP), using 139 or 445 ports, respectively, with the typical trend towards 445 ports. A CIFS message comprises a header and a body.
In the embodiment of the present application, the target file is a file that needs to be processed currently. The operation request is used for acquiring a target file in the file system. Optionally, the operation request may carry a file identifier of the target file, so as to obtain the target file from a server of the file system based on the file identifier of the target file.
In an implementation manner, a server of the file system may receive an open request for a target file sent by a client to obtain the target file and display the target file on the client, where the operation request is an open request.
And 102, carrying out security detection on the target file based on the operation request to obtain a first detection result.
In the embodiment of the application, the first detection result is a result obtained after security detection is performed on the target file. In an implementation manner, in a case that the operation request carries a file identifier of the target file, the target file may be obtained from a server of the file system based on the file identifier of the target file, so as to perform security detection on the target file.
It should be noted that resources such as files, printers, serial ports, and the like between servers of the file system may be shared with each other, so that after any server in the file system receives an operation request, a target file may be obtained based on the operation request. Specifically, if a certain server of the file system does not store the target file, after receiving the operation request, the target file may be obtained from the server in which the target file is stored based on the file identifier of the target file carried in the operation request, and then security detection may be performed on the target file; if a certain server of the file system stores the target file, the target file can be directly obtained based on the file identifier of the target file carried in the operation request, and then security detection is performed on the target file.
And 103, executing the operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by the virus.
In the embodiment of the application, the first detection result indicates that the target file is not invaded by the virus, that is, the target file is a normal file and is not poisoned, and at this time, the operation corresponding to the operation request may be executed on the target file.
In an implementation manner, if the operation request is an open request, after receiving an open request for a target file sent by a client, performing security detection on the target file based on the open request to obtain a first detection result, and then, under a condition that the first detection result indicates that the target file is not invaded by a virus, performing an open operation corresponding to the open request on the target file. That is, after receiving the open request, the target file is sent to the client and displayed on the client only when it is determined that the target file is not invaded by a virus. Therefore, after the operation request is received each time, the operation corresponding to the operation request is executed on the target file under the condition that the target file is determined not to be invaded by the virus, so that the poisoning and even the crash of the client and the file system caused by the invasion of the virus to the file can be prevented, the safety of the file system and the client is protected, and the safety of the file system and the client is improved.
The security protection method provided by the embodiment of the application receives an operation request for a target file, performs security detection on the target file based on the operation request to obtain a first detection result, and executes operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by viruses, so that the target file can be subjected to security detection each time before the target file is obtained, and corresponding operation can be executed on the target file after the target file is determined not to be invaded by viruses, thereby greatly protecting the security of a file system and a client, preventing the client and the file system from being poisoned after the file is invaded by the viruses, solving the problem that the file is invaded by the viruses once in the period of time after the last detection and before the next detection in the related technology, and improving the security of the file.
Based on the foregoing embodiments, an embodiment of the present application provides a safety protection method, which is shown in fig. 2 and includes the following steps:
step 201, the server receives an operation request for a target file.
The operation request is used for acquiring the target file.
Step 202, the server determines whether the target file is subjected to security detection based on the operation request.
In the embodiment of the present application, a metadata service (MDS) is a daemon process of a metadata server of an EDS distributed file system, and generally, one MDS may be deployed in the file system, that is, a plurality of servers of the file system share one MDS, or certainly, a plurality of MDSs may be deployed in the file system, which is not limited in the embodiment of the present application; the security status of each file may also be stored in the MDS to determine whether the file has been security checked by the security status of the file. Specifically, after receiving the operation request, the server may first obtain the security status of the target file from the MDS based on the file identifier of the target file carried in the operation request; if the security status is null, it indicates that the target file has not been security-checked, and then step 203 is executed; and if the safety state is not null, indicating that the target file is subjected to safety detection.
And 203, under the condition that the target file is determined not to be subjected to the security detection, the server performs the security detection on the target file based on the operation request to obtain a first detection result.
In the embodiment of the application, the first detection result is a result of performing security detection on the target file. The server may perform security detection on the target file based on the file identifier of the target file carried in the operation request to obtain a first detection result. Wherein, if the first detection result represents that the target file is invaded by the virus, the target file is a virus file, and at this time, step 204 may be executed; if the first detection result indicates that the target file is not invaded by a virus, it indicates that the target file is a normal file, and step 205 may be executed at this time.
The operation that the server carries out security detection on the target file based on the operation request to obtain the first detection result can be realized through the following steps:
step 203a, the server performs security detection on the target file based on the intelligent application in the file system by using the target process to obtain a first detection result.
In this embodiment of the present application, the target process may be an MDS, the intelligent application may be a terminal Agent (Edr Agent), and the intelligent application may be deployed in a server of a file system in a container form. Optionally, the Edr agents may be packaged into an independent container by the Docker software and then deployed in each server in the file system, so that security detection may be performed on the target file, and further, when a plurality of Edr agents are installed in the file system, security detection may be performed on the file quickly under the condition of multiple security detection tasks.
In an implementation manner, the server may employ an MDS to perform security detection on the target file based on the Edr Agent in the idle state in the file system to obtain a first detection result.
And 204, under the condition that the first detection result represents that the target file is invaded by the virus, the server sends a first prompt message to the client.
The first prompt message is used for prompting that the target file is invaded by virus.
In the embodiment of the application, the server can send a first prompt message to the client when the first detection result represents that the target file is invaded by the virus, and the client is informed that the target file is invaded by the virus and cannot be opened; the first prompt message can be displayed on the file system to inform a manager of the file system that the target file is invaded by the virus and should be processed in time to prevent the file system from being crashed due to virus diffusion.
And step 205, under the condition that the first detection result represents that the target file is not invaded by the virus, the server executes the operation corresponding to the operation request on the target file.
As shown in fig. 3, the operation of processing one file is as follows: creating a file; a blank file is created on the file system, and metadata for the file is generated on the MDS in the absence of actual data. Operating a file; generally, operations such as reading and writing (i.e., editing) are performed on a file. Closing the file; the client closes the file, namely closes the file handle and releases the resource to indicate that the client no longer uses the file, and stores the file in the file system. Opening a file; after the file is stored in the file system, before the file is operated again, the file needs to be opened, and after the file is operated, the file needs to be closed, and the file is stored in the file system.
Based on the characteristics of the file operation shown in fig. 3, the opening of the file may be intercepted to perform security detection on the file. The method comprises the steps that a client triggers a file opening operation, namely an opening request is sent to a server, namely, under the condition that the operation request is the opening request, when a target file is opened, if the security state of the target file is empty, security detection can be carried out on the target file, whether the target file can be opened successfully or not can be determined after the security detection, and if the detection result indicates that the target file is a virus file, the opening is failed; and if the detection result indicates that the target file is a normal file, the file is opened successfully.
It should be noted that, after the server executes step 205, the server may also execute step 206.
Based on the foregoing embodiments, in other embodiments of the present application, as shown in fig. 2, the safety protection method may further include the following steps:
and step 206, under the condition that the target file is determined to be updated, the server performs security detection on the updated target file to obtain a second detection result.
In this embodiment of the application, the second detection result is a result obtained by performing security detection on the updated target file. If the server determines that the target file is updated, security detection needs to be performed on the updated target file to determine the security of the target file, and further guarantee the security of the client and the file system.
In an implementation manner, after performing update operations such as reading and writing on an open target file, a client may send a close request for the updated target file to a server, and after receiving the close request, the server may determine that the target file has been updated, and at this time, perform security detection on the updated target file to obtain a second detection result. In another implementation manner, the client may further perform another processing on the updated target file, and at this time, a detection request for the updated target file may be sent to the server, so that the server performs security detection on the updated target file to obtain a second detection result, and of course, the server may also determine that the target file has been updated in another manner, which is not limited in this embodiment of the present application.
The operation of performing security detection on the updated target file by the server to obtain the second detection result can be realized by the following steps:
and step 206a, the server adopts a target process and carries out security detection on the updated target file based on the intelligent application in the file system to obtain a second detection result.
In this embodiment of the application, the server may use an MDS to perform security detection on the updated target file based on the Edr Agent in the idle state in the file system to obtain a second detection result. Step 207 may be executed if the second detection result indicates that the updated target file is not invaded by a virus; step 208 may be performed if the second detection result indicates that the updated target file is invaded by a virus.
And step 207, under the condition that the second detection result represents that the updated target file is not invaded by the virus, the server executes target operation on the updated target file.
In the embodiment of the present application, the target operation may be a storage operation, that is, the server performs the storage operation on the target file only when it is determined that the updated target file is not invaded by a virus, so that the security of the file stored to the file system can be ensured, and the security of the file system can be further ensured.
In an implementation manner, if the client sends a close request to the server after updating the target file, where the close request is used to store the updated target file to the server of the file system, the server may perform security detection on the updated target file after receiving the close request, and store the updated target file to the server only when determining that the updated target file is not invaded by a virus, so as to ensure the security of the file system.
And step 208, under the condition that the second detection result represents that the updated target file is invaded by the virus, the server sends a second prompt message to the client.
And the second prompt message is used for prompting that the updated target file is invaded by the virus.
In this embodiment, the server may send a second prompt message to the client when the second detection result indicates that the updated target file is invaded by a virus, so as to inform the client that the updated target file is invaded by a virus and needs to be processed in time.
Based on the characteristics of the file operation shown in fig. 3, the closing of the file may be intercepted to perform security detection on the file. The method comprises the steps that a client triggers a file closing operation, namely sends a closing request to a server to store a file to the server, the server carries out safety detection on an updated target file under the condition that the closing request is received and the target file is determined to be updated, whether the closing operation is carried out on the updated target file can be determined only after the safety detection, if a detection result represents that the updated target file is a virus file, the closing operation is not executed, and a second prompt message is sent to the client; and if the detection result indicates that the target file is a normal file, executing closing operation and storing the updated target file to the server.
It should be noted that, for the description of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the description in the other embodiments, which is not repeated herein.
According to the security protection method provided by the embodiment of the application, the security detection is carried out on the target file before the target file is obtained every time, the corresponding operation is carried out on the target file after the target file is determined not to be invaded by the virus, the security of the file system and the client is greatly protected, the situation that the client and the file system are poisoned after the file is invaded by the virus is prevented, the problem that the file system is poisoned if the file is used once the file is invaded by the virus in the period from the last detection to the next detection in the related technology is solved, and the security of the file is improved.
Based on the foregoing embodiments, an embodiment of the present application provides a safety protection method, which is shown in fig. 4 and includes the following steps:
step 301, the server receives an operation request for a target file.
The operation request is used for acquiring the target file.
Step 302, the server determines whether the target file is subjected to security detection based on the operation request.
In this embodiment of the application, the server may obtain the security state of the target file from the MDS based on the file identifier of the target file carried in the operation request, and if the security state of the target file is null, it is determined that the target file has not undergone security detection, and at this time, step 303 is executed; and if the safety state is not null, indicating that the target file is subjected to safety detection.
Step 303, under the condition that the target file is determined not to be subjected to security detection, the server sends a detection request to the intelligent application through the target process.
In the embodiment of the application, if the server determines that the target file is not subjected to security detection, a detection request may be sent to an idle Edr Agent in the file system through the MDS, so that the Edr Agent performs security detection on the target file.
And step 304, the server receives and stores the first detection result sent by the intelligent application through the target process.
And the first detection result is obtained after the intelligent application carries out safety detection on the target file and the updated target file.
In the embodiment of the application, after the first detection result of the security detection of the target file is obtained, the Edr Agent may send the first detection result to the client, and store the first detection result to the security state of the target file in the MDS, and when the target file is opened again by a subsequent client, the target file does not need to be subjected to the security detection again and can be directly opened because the target file is subjected to the security detection.
It should be noted that, in the case that the first detection result indicates that the target file is invaded by a virus, step 305 may be executed; in case the first detection result indicates that the target file is not invaded by a virus, step 306 may be performed.
And 305, under the condition that the first detection result represents that the target file is invaded by the virus, the server sends a first prompt message to the client.
The first prompt message is used for prompting that the target file is invaded by the virus.
And step 306, under the condition that the first detection result represents that the target file is not invaded by the virus, the server executes the operation corresponding to the operation request on the target file.
In one implementation, as shown in fig. 5, 1, a client opens a file, that is, sends an open request for the file to a file system formed by an EDS cluster, where the open request may reach any EDS client (i.e., a server in the file system) in the EDS cluster through an SMB protocol, and the EDS client sends the open request to an MDS after receiving the open request; 2. MDS determines the safety state of the file; 3. if the MDS determines that the security state representation file of the file is a virus file, sending a first prompt message to return an error to the client, so that the client knows that the file is the virus file and fails to open the file; 4. if the MDS determines that the security state of the file is empty, the opening request is suspended, a security detection task is generated, and a detection request aiming at the file is sent to the Edr Agent; 5. after the Edr Agent carries out security detection on the file, reporting a detection result to the MDS and storing the detection result to the MDS; 6. under the condition that the safety state of the file represents that the file is a normal file, the MDS releases the suspended opening request and recovers the opening request to the EDS client; 7. the EDS client sends the file to the client and displays the file on the client so as to inform the client of an opening result through an SMB protocol; 8. the subsequent client opens the file again, and because the file is subjected to security detection, the file does not need to be subjected to security detection again, and the opening request can be directly processed to open the file.
It should be noted that, after the server executes step 306, the server may also execute step 307.
Based on the foregoing embodiment, in another embodiment of the present application, as shown in fig. 4, the safety protection method may further include the following steps:
and 307, under the condition that the target file is determined to be updated, the server sends a detection request to the intelligent application through the target process.
In this embodiment of the present application, if the server determines that the target file has been updated, a detection request may be sent to an idle Edr Agent in the file system through the MDS, so that the Edr Agent performs security detection on the updated target file.
And 308, the server receives and stores the second detection result sent by the intelligent application through the target process.
And the second detection result is obtained after the intelligent application carries out safety detection on the updated target file.
In the embodiment of the application, after obtaining a second detection result for performing security detection on the updated target file, the Edr Agent may send the second detection result to the client, and store the second detection result to the security state of the target file in the MDS, and when the subsequent client performs corresponding operation on the target file again, since the target file has already been subjected to security detection, the security detection is not required, and the corresponding operation may be directly performed.
It should be noted that, in the case that the updated target file is not invaded by a virus as represented by the second detection result, step 309 may be executed; in case the second detection result indicates that the updated target file is invaded by a virus, step 310 may be executed.
Step 309, under the condition that the second detection result represents that the updated target file is not invaded by the virus, the server executes the target operation on the updated target file.
And 310, under the condition that the updated target file is invaded by the virus represented by the second detection result, the server sends a second prompt message to the client.
And the second prompt message is used for prompting that the updated target file is invaded by the virus.
In one implementation, as shown in FIG. 6, 1, a client triggers to open a file, that is, sends an open request for the file to an EDS client, and the EDS client sends the open request to an MDS after receiving the open request; 2. if the MDS determines that the file is a normal file, the MDS continues to process the opening request, namely the EDS client sends the file to the client and displays the file on the client, namely the opening is successful; 3. the client operates (reads, writes, etc.) the file, i.e., updates the file; 4. the method comprises the steps that a client closes a file after updating the file, namely sends a closing request aiming at the file to an EDS client, and the EDS client sends the closing request to an MDS; 5. the MDS generates a new safety detection task and sends the new safety detection task to the idle Edr Agent, namely sends a new detection request to the Edr Agent, because the file is modified and needs to be subjected to safety detection again; 6. the Edr Agent carries out security detection on the updated file, reports the detection result to the MDS and stores the detection result in the security state of the file in the MDS; 7. and other subsequent clients open the file again, and the file can be directly opened without triggering security detection again because the file is subjected to security detection.
In the embodiment of the present application, a virus detection policy may be configured. In a feasible implementation manner, the virus detection policy may be a high-performance mode, and at this time, security detection is performed on the file only when the target file is updated; in another feasible implementation manner, the virus detection policy may also be in a high security mode, and at this time, not only the security detection is performed on the file when the target file is updated, but also the security detection is performed on the file when the file is opened and when it is determined that the security state of the file is empty. Based on the description of fig. 5 and 6, the high-performance mode performs security check on a file only in the case where the file is closed and the file is updated, whereas the high-security mode performs security check on a file not only in the case where the file is closed and the file is updated but also in the case where the file is opened and it is determined that the file has not been security checked.
It should be noted that the security protection method provided in the embodiment of the present application may overcome an additional economic cost and an operation and maintenance cost of a file storage system that an antivirus server needs to be independently deployed when an Internet Content Adaptation Protocol (ICAP) antivirus architecture is adopted for classification, integrate an antivirus service into a server of the file system, identify Input/Output (IO) operations of a file, intercept a critical operation of the IO, and allow a stored file to be further operated after the file is subjected to security detection, so that the IO file of the file system may be subjected to real-time security protection, and security of the storage system is ensured to the greatest extent.
It should be noted that, for the descriptions of the same steps and the same contents in this embodiment as those in other embodiments, reference may be made to the descriptions in other embodiments, which are not described herein again.
According to the security protection method provided by the embodiment of the application, the security detection is carried out on the target file before the target file is obtained every time, the corresponding operation is carried out on the target file after the target file is determined not to be invaded by the virus, the security of the file system and the client is greatly protected, the situation that the client and the file system are poisoned after the file is invaded by the virus is prevented, the problem that the file system is poisoned if the file is used once the file is invaded by the virus in the period from the last detection to the next detection in the related technology is solved, and the security of the file is improved.
Based on the foregoing embodiments, embodiments of the present application provide a safety protection device, which may be applied to the safety protection method provided in the embodiments corresponding to fig. 1 to 2 and 4, and as shown in fig. 7, the safety protection device 4 may include:
a receiving unit 41 configured to receive an operation request for a target file; the operation request is used for acquiring a target file;
the detection unit 42 is used for performing security detection on the target file based on the operation request to obtain a first detection result;
and the processing unit 43 is configured to, when the first detection result indicates that the target file is not invaded by a virus, execute an operation corresponding to the operation request on the target file.
In other embodiments of the present application, the detecting unit 42 is further configured to, in a case that it is determined that the target file is updated, perform security detection on the updated target file to obtain a second detection result;
the processing unit 43 is further configured to, when the second detection result indicates that the updated target file is not invaded by a virus, perform a target operation on the updated target file.
In other embodiments of the present application, the detecting unit 42 is further configured to determine whether the target file has been subjected to security detection based on the operation request;
and the detection unit 42 is further configured to, in a case that it is determined that the target file has not been subjected to security detection, perform security detection on the target file based on the operation request, and obtain a first detection result.
In other embodiments of the present application, the detecting unit 42 is further configured to perform security detection on the target file or the updated target file based on an intelligent application in the file system by using a target process.
In other embodiments of the present application, the detecting unit 42 is further configured to send a detection request to the smart application through the target process;
the detection unit 42 is further configured to receive and store the first detection result or the second detection result sent by the intelligent application through the target process; and the first detection result and the second detection result are obtained after the intelligent application carries out safety detection on the target file and the updated target file.
In other embodiments of the present application, the processing unit 43 is further configured to send a first prompt message to the client when the first detection result indicates that the target file is invaded by a virus; the first prompt message is used for prompting that the target file is invaded by viruses;
the processing unit 43 is further configured to send a second prompt message to the client when the second detection result indicates that the updated target file is invaded by a virus; and the second prompt message is used for prompting that the updated target file is invaded by the virus.
In other embodiments of the present application, the smart application is deployed in the form of a container in a server of the file system.
It should be noted that, for specific descriptions of steps executed by each unit, reference may be made to descriptions in the security protection method provided in the embodiments corresponding to fig. 1 to 2 and 4, and details are not described here again.
The safety protection device provided by the embodiment of the application can carry out safety detection on the target file before the target file is obtained every time, corresponding operation can be carried out on the target file after the target file is determined not to be invaded by the virus, the safety of the file system and the client side is greatly protected, the situation that the client side and the file system are poisoned after the file is invaded by the virus is prevented, the problem that the file system is poisoned if the file is used once the file is invaded by the virus in the period from the last detection to the next detection in the related technology is solved, and the safety of the file is improved.
Based on the foregoing embodiments, an embodiment of the present application provides a safety protection device, which may be applied to the safety protection method provided in the embodiments corresponding to fig. 1 to 2 and 4, and as shown in fig. 8, the safety protection device 5 may include: a processor 51, a memory 52, and a communication bus 53, wherein:
the communication bus 53 is used for realizing communication connection between the processor 51 and the memory 52;
the processor 51 is configured to execute a security program in the memory 52 to implement the following steps:
receiving an operation request aiming at a target file; the operation request is used for acquiring a target file;
carrying out security detection on the target file based on the operation request to obtain a first detection result;
and under the condition that the first detection result represents that the target file is not invaded by the virus, executing operation corresponding to the operation request on the target file.
In other embodiments of the present application, the processor 51 is configured to execute the security program in the memory 52 to further implement the following steps:
under the condition that the target file is determined to be updated, carrying out safety detection on the updated target file to obtain a second detection result;
and under the condition that the second detection result represents that the updated target file is not invaded by the virus, executing target operation on the updated target file.
In other embodiments of the present application, the processor 51 is configured to execute a security protection program in the memory 52 to perform security detection on a target file based on an operation request, and obtain a first detection result, so as to implement the following steps:
determining whether the target file is subjected to security detection or not based on the operation request;
and under the condition that the target file is determined not to be subjected to the security detection, performing the security detection on the target file based on the operation request to obtain a first detection result.
In other embodiments of the present application, the first processor 51 is configured to perform security check of the security protection program in the first memory 52, so as to implement the following steps:
and carrying out security detection on the target file or the updated target file by adopting a target process based on intelligent application in the file system.
In other embodiments of the present application, the processor 51 is configured to execute a target process of the security protection program in the memory 52, and perform security detection on the target file and the updated target file based on the intelligent application in the idle state in the file system, so as to implement the following steps:
sending a detection request to the intelligent application through the target process;
receiving and storing a first detection result or a second detection result sent by the intelligent application through the target process; and the first detection result and the second detection result are obtained after the intelligent application carries out safety detection on the target file and the updated target file.
In other embodiments of the present application, the processor 51 is configured to execute the security program in the memory 52 to further implement the following steps:
under the condition that the first detection result represents that the target file is invaded by the virus, sending a first prompt message to the client; the first prompt message is used for prompting that the target file is invaded by viruses;
under the condition that the second detection result represents that the updated target file is invaded by the virus, a second prompt message is sent to the client; and the second prompt message is used for prompting that the updated target file is invaded by the virus.
In other embodiments of the present application, the smart application is deployed in the form of a container in a server of the file system.
It should be noted that, for specific description of the steps executed by the processor, reference may be made to the description in the security protection method provided in the embodiments corresponding to fig. 1 to 2 and 4, and details are not described here again.
The safety protection device provided by the embodiment of the application can perform safety detection on the target file before the target file is obtained every time, corresponding operation can be performed on the target file after the target file is determined not to be invaded by the virus, the safety of the file system and the client side is greatly protected, the situation that the client side and the file system are poisoned after the file is invaded by the virus is prevented, the problem that the file system is poisoned if the file is used once the file is invaded by the virus in the period of time from the last detection to the next detection in the related technology is solved, and the safety of the file is improved.
Based on the foregoing embodiments, embodiments of the present application provide a computer-readable storage medium storing one or more programs, which are executable by one or more processors to implement the steps of the security protection method provided by the embodiments corresponding to fig. 1-2 and 4.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.

Claims (10)

1. A method of safety protection, the method comprising:
receiving an operation request aiming at a target file; the operation request is used for acquiring the target file;
performing security detection on the target file based on the operation request to obtain a first detection result;
and under the condition that the first detection result represents that the target file is not invaded by the virus, executing the operation corresponding to the operation request on the target file.
2. The method of claim 1, further comprising:
under the condition that the target file is determined to be updated, carrying out safety detection on the updated target file to obtain a second detection result;
and under the condition that the second detection result represents that the updated target file is not invaded by viruses, executing target operation on the updated target file.
3. The method of claim 1, wherein the performing security detection on the target file based on the operation request to obtain the first detection result comprises:
determining whether the target file is subjected to security detection or not based on the operation request;
and under the condition that the target file is determined not to be subjected to security detection, performing security detection on the target file based on the operation request to obtain the first detection result.
4. The method of claim 2 or 3, wherein the performing security detection comprises:
and carrying out security detection on the target file or the updated target file by adopting a target process based on intelligent application in a file system.
5. The method of claim 4, wherein the performing, with the target process, security detection on the target file or the updated target file based on the intelligent application in the idle state in the file system comprises:
sending a detection request to the intelligent application through the target process;
receiving and storing the first detection result or the second detection result sent by the intelligent application through the target process; and the first detection result and the second detection result are obtained after the intelligent application carries out safety detection on the target file and the updated target file.
6. The method according to claim 1 or 2, characterized in that the method further comprises:
under the condition that the first detection result represents that the target file is invaded by viruses, sending a first prompt message to a client; the first prompt message is used for prompting that the target file is invaded by a virus;
under the condition that the second detection result represents that the updated target file is invaded by viruses, a second prompt message is sent to the client; and the second prompt message is used for prompting that the updated target file is invaded by viruses.
7. The method of claim 1, wherein the smart application is deployed in a container in a server of the file system.
8. A safety shield apparatus, the apparatus comprising:
a receiving unit configured to receive an operation request for a target file; the operation request is used for acquiring the target file;
the detection unit is used for carrying out safety detection on the target file based on the operation request to obtain a first detection result;
and the processing unit is used for executing the operation corresponding to the operation request on the target file under the condition that the first detection result represents that the target file is not invaded by the virus.
9. A safety shield apparatus, comprising: a processor, a memory, and a communication bus;
the communication bus is used for realizing communication connection between the processor and the memory;
the processor is configured to execute a security program in the memory to implement the steps of the security method according to any one of claims 1 to 7.
10. A computer readable storage medium, storing one or more programs, which are executable by one or more processors to implement the steps of the security method of any of claims 1 to 7.
CN202211185494.6A 2022-09-27 2022-09-27 Safety protection method, device, equipment and computer readable storage medium Pending CN115510484A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211185494.6A CN115510484A (en) 2022-09-27 2022-09-27 Safety protection method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211185494.6A CN115510484A (en) 2022-09-27 2022-09-27 Safety protection method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115510484A true CN115510484A (en) 2022-12-23

Family

ID=84506318

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211185494.6A Pending CN115510484A (en) 2022-09-27 2022-09-27 Safety protection method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115510484A (en)

Similar Documents

Publication Publication Date Title
US11089057B1 (en) System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
EP3111330B1 (en) System and method for verifying and detecting malware
US9838415B2 (en) Fight-through nodes for survivable computer network
US10922411B2 (en) Intelligent event collection for cloud-based malware detection
US10970396B2 (en) Intelligent event collection for rolling back an endpoint state in response to malware
EP1542426B1 (en) Security-related programming interface
AU2016369460B2 (en) Dual memory introspection for securing multiple network endpoints
EP3712793B1 (en) Integrity assurance during runtime
JP4629332B2 (en) Status reference monitor
US8353033B1 (en) Collecting malware samples via unauthorized download protection
US7673137B2 (en) System and method for the managed security control of processes on a computer system
CN112534432A (en) Real-time mitigation of unfamiliar threat scenarios
US8230499B1 (en) Detecting and blocking unauthorized downloads
US20220159023A1 (en) System and method for detecting and classifying malware
WO2006137657A1 (en) Method for intercepting malicious code in computer system and system therefor
CN113449302A (en) Method for detecting malicious software
CN115086081B (en) Escape prevention method and system for honeypots
CN115510484A (en) Safety protection method, device, equipment and computer readable storage medium
CN115510427A (en) Cross-platform process running credible monitoring method and system
CN111258712B (en) Method and system for protecting safety of virtual machine under virtual platform network isolation
CN113518055A (en) Data security protection processing method and device, storage medium and terminal
WO2023003565A1 (en) Kill chain identifications
CN114760189A (en) Information determination method, equipment and computer readable storage medium
CN116760622A (en) Application access method and device, electronic equipment and storage medium
CN114722397A (en) Process behavior identification method, process behavior identification device, electronic device, storage medium, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination