[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102419803A - Computer virus searching and killing method, system and device - Google Patents

Computer virus searching and killing method, system and device Download PDF

Info

Publication number
CN102419803A
CN102419803A CN201110338866XA CN201110338866A CN102419803A CN 102419803 A CN102419803 A CN 102419803A CN 201110338866X A CN201110338866X A CN 201110338866XA CN 201110338866 A CN201110338866 A CN 201110338866A CN 102419803 A CN102419803 A CN 102419803A
Authority
CN
China
Prior art keywords
virtual machine
image data
mirror image
virus
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201110338866XA
Other languages
Chinese (zh)
Other versions
CN102419803B (en
Inventor
王奇飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Huawei Technology Co Ltd
Original Assignee
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Symantec Technologies Co Ltd filed Critical Huawei Symantec Technologies Co Ltd
Priority to CN201110338866.XA priority Critical patent/CN102419803B/en
Publication of CN102419803A publication Critical patent/CN102419803A/en
Application granted granted Critical
Publication of CN102419803B publication Critical patent/CN102419803B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a computer virus searching and killing method, system and device, which are used for solving the problem of complex operation in the virus searching and killing process of a virtual machine in the prior art. The method comprises the following steps: the virus searching and killing server obtains the storage position of the virtual machine mirror image data; mounting mirror image data of the virtual machine according to the storage position of the mirror image data of the virtual machine, and mapping the mirror image data into a virtual disk in a file system of a virus searching and killing server; operating a virus scanning engine, and scanning the virtual disk according to the characteristics of the known viruses in a virus characteristic library; and if the scanning result shows that the virus is found, performing virus elimination. According to the scheme, antivirus software does not need to be installed in the virtual machine, and antivirus operation of a user is not needed, so that the operation of the user is greatly simplified.

Description

Computer virus checking and killing method, system and device
Technical field
The present invention relates to computing machine and communication technical field, relate in particular to a kind of computer virus checking and killing method, a kind of computer virus checking and killing system, and a kind of computer virus checking and killing device.
Background technology
Cloud computing is meant a kind of payment and use pattern of information technology infrastructure, the user through network with as required, the mode that is prone to expansion obtains resource requirement.Cloud computing also is extended to the payment and the use pattern of service, the user through network with as required, the mode that is prone to expansion obtains required service.The core concept of cloud computing is resource (the resource here comprises storage resources, computational resource, various application software) unified management and the scheduling that connects with network in a large number, and constituting a resource pool provides service as required to the user.Provide the network of resource to be called as in " cloud ".
Cloud computing is an important application scene of hardware virtualization technology.The hardware virtualization technology fictionalizes one or more virtual machine on a physical host, thereby makes the hardware resource that several even tens virtual machines can a shared physical host.The cloud service merchant provides many virtual machines (these virtual machines can be distributed in the different physical hosts) to supply the user to rent, and when these virtual machines all are in running status, has been equivalent to form a huge computer cluster network.If wherein a virtual machine has computer virus, other virtual machines that just might be in cluster network are propagated, and cause that network congestion, information are stolen, network connects fault or the like.
For solving the killing problem of computer virus in the virtual machine, prior art provides two kinds of solutions.The one, the user installs antivirus software and carries out checking and killing virus in virtual machine, and its process and the checking and killing virus process on normal hosts are similar; The 2nd, the online antivirus website that the browser access antivirus software manufacturer of user through virtual machine provides; The browser plug-in of forms such as ActiveX, java applet is installed in prompting according to Website page; During this online antivirus website of subsequent access, the interacting message through browser plug-in and online antivirus website carries out online antivirus.
The inventor is in realizing process of the present invention; Find that there is following defective at least in prior art: prior art all need be installed the checking and killing virus client in virtual machine; The user need select to install suitable antivirus software, perhaps suitable online antivirus website is visited in selection; Technical ability to the user is had relatively high expectations, and operates comparatively loaded down with trivial details.
Summary of the invention
The embodiment of the invention provides a kind of computer virus checking and killing method, in order to solve the loaded down with trivial details problem of virtual machine checking and killing virus process operation in the prior art.
Accordingly, the embodiment of the invention also provides a kind of computer virus checking and killing device.
The technical scheme that the embodiment of the invention provides is following:
A kind of computer virus checking and killing method comprises:
The checking and killing virus server obtains the memory location of virtual machine image data;
Mirror image data according to the memory location carry virtual machine of virtual machine image data is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
The operation virus scanning engine, the characteristic according to known viruse in the virus characteristic storehouse scans said virtual disk; If scanning result is found virus, then call corresponding antivirus applet and carry out virus sweep.
A kind of computer virus checking and killing device comprises:
The mirror image data acquisition module is used to obtain the memory location of virtual machine image data;
The carry module is used for the memory location according to the virtual machine image data, and the mirror image data of carry virtual machine is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
The scanning execution module is used for after the mirror image data of carry module carry virtual machine, triggers the operation virus scanning engine, and the characteristic according to known viruse in the virus characteristic storehouse scans said virtual disk;
The virus killing execution module is used for then calling corresponding antivirus applet and carrying out virus sweep if the scanning result of scanning execution module is found virus.
The technical scheme checking and killing virus server of the embodiment of the invention is the mirror image data of carry virtual machine at first, and the virtual disk that shines upon behind the mirror image data carry is carried out virus scan; When scanning result is found virus, call corresponding antivirus applet and carry out virus sweep, thereby realize virtual machine is carried out the purpose of checking and killing virus.Need not in this scheme antivirus software is installed in virtual machine, need not user's operation of killing virus, simplified user's operation greatly.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the main realization principle flow chart of the embodiment of the invention;
Fig. 2 a is the deployed environment synoptic diagram of the computer virus checking and killing system that provides of the embodiment of the invention;
Fig. 2 b be in the embodiment of the invention in first kind of distributed storage device the synoptic diagram of memory image data;
Fig. 2 c be in the embodiment of the invention in second kind of distributed storage device the synoptic diagram of memory image data;
The detail flowchart of the computer virus checking and killing method that Fig. 3 provides for the embodiment of the invention;
The structural representation of a kind of computer virus checking and killing device that Fig. 4 provides for the embodiment of the invention;
The structural representation of carry module in the computer virus checking and killing device that Fig. 5 provides for the embodiment of the invention;
Confirm the structural representation of unit in the computer virus checking and killing device that Fig. 6 provides for the embodiment of the invention.
Embodiment
Prior art is operated the problem comparatively loaded down with trivial details, that the checking and killing virus risk is bigger except there being the user; Because it is unpractical requiring all virtual machine user all antivirus software to be installed initiatively consciously; Therefore also there is the unmanageable problem of virus killing coverage rate; In case certain customers do not install antivirus software on request, still can cause computer virus in network, to be propagated; In virtual machine, installed under the scene of antivirus software in addition, upgraded and safeguard that the antivirus software in each virtual machine also is comparatively restive.
For solving prior art problems, the embodiment of the invention provides a kind of checking and killing method and killing system of computer virus.In the present embodiment, computer virus is a generalized concept, comprises various malicious codes such as wooden horse, rogue program.
Carry out detailed elaboration below in conjunction with each accompanying drawing to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach.
As shown in Figure 1, the main realization principle process of the embodiment of the invention is following:
Step 10, the checking and killing virus server obtains the memory location of virtual machine image data.
Wherein, mirror image data is meant the static store form of virtual machine instance, wherein comprises VME operating system file and user file etc.In cloud computing infrastructure framework, the storage resources of virtual machine possibly be distributed in the different physical entities with the operation resource.When distributing certain user to use a virtual machine, the physical host that is used to start virtual machine realizes starting the purpose of virtual machine through loading the mirror image data of this virtual machine.
The storage mode of load data in the mirror image data (comprising VME operating system file and user file etc.) is identical with the storage mode of data in the personal computer, and the Field Definition etc. of physical disk sector that promptly is used for storing data is identical.Difference is that different virtual machine manufacturers encapsulates on the basis of load data, increased data head, thereby generated new mirror image data; The manufacturer that perhaps has has also carried out processing such as compression to mirror image data.
Step 20, checking and killing virus server are mapped as a virtual disk in the checking and killing virus server file system according to the mirror image data of the memory location carry virtual machine of virtual machine image data with said mirror image data.
Carry specifically, in different operating system, the result's of carry operation form also can be different.In the present embodiment, virtual disk is meant the storage object that can be identified by the operating system of checking and killing virus server.
At the checking and killing virus server is under the situation of Windows series of operating, and after carry was accomplished, mirror image data was mapped as a driver in the checking and killing virus server file system; At the checking and killing virus server is under the situation of Linux, UNIX series of operating, and after carry was accomplished, mirror image data was mapped as a block device in the checking and killing virus server file system.No matter be driver or block device, follow-up principle of operation is similar basically.
Step 30, checking and killing virus server operation virus scanning engine scans said driver or block device; If scanning result is found virus, then carry out virus sweep.
Alternatively, in case because virtual machine is in state of activation (being under the scene that is activated of virtual machine), mirror image data maybe be by real time modifying; If this moment the carry virtual machine mirror image data; And driver or the block device that shines upon behind the carry carried out virus scan, maybe be with guaranteeing that scanning result can correctly reflect the safety case of the mirror image data behind the real time modifying, also may impact the performance of virtual machine in addition; Therefore before step 10, also comprise:
The checking and killing virus server obtains virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown; The work at present state of confirming said virtual machine is a unactivated state.
That is to say that it is the virtual machine of unactivated state that the checking and killing virus server is selected the work at present state, execution in step 10~step 30.
Further, in step 20, after the checking and killing virus server obtains the memory location of virtual machine image data, confirm the Format Type of mirror image data, call corresponding carry program carry virtual machine image data according to the type of mirror image data again.Concrete horizontal glass really will be elaborated among the embodiment as the mode of data type in the back.
Alternatively; In time know the safety case of virtual machine in order to make the user; Particularly the virtual machine user of scanning result discovery virus is in time known the safety case of virtual machine, after step 30, also comprises: the checking and killing virus server notifies the information of scanning result discovery virus to virtual machine user.For example, the checking and killing virus server sends circular mail to the mailbox of said virtual machine user, carries the information that scanning result is found virus in this circular mail; Perhaps the terminal device to said virtual machine user sends a notification message, and carries the information that scanning result is found virus in this notification message.
To introduce an embodiment in detail and come the main realization principle of the inventive method is carried out detailed elaboration and explanation according to foregoing invention principle of the present invention below.
Accompanying drawing 2a is the deployed environment synoptic diagram of the computer virus checking and killing system that provides of the embodiment of the invention.Comprise at least one checking and killing virus server in this system, at least one elasticity computing controller, at least one physical host and distributed storage device.Wherein, The elasticity computing controller is a core ingredient in the existing cloud computing infrastructure framework; It is the maincenter of managing memory source, computational resource and other resources; Wherein store the information such as memory address of the corresponding mirror image data of sign, each virtual machine instance of the physical host that is used to start each virtual machine in the managing listings of storage, as shown in table 1.When distributing certain user to use a virtual machine, through reading this managing listings, the physical host that indication is used to start this virtual machine reads mirror image data and loads from the memory address of these virtual machine image data, thereby starts virtual machine.
In the present embodiment; The mirror image data of each virtual machine is stored in the distributed storage device; Wherein distributed storage device describes for example with storage area network (SAN, Storage Area Network) and network attached storage (NAS, Network Attached Storage) respectively.
The storage mode of mirror image data in distributed storage device is relevant with the type of distributed storage device.For example for SAN, the virtual machine image data are the hard disk sector data in the designated memory space (being the virtual machine image data field).Other equipment; For example be used to start the physical host of virtual machine; Can be used in the access request mode of carrying " IP address+port numbers " and visit treating on the SAN and start virtual machine corresponding virtual machine mirror image data district, " IP address+port numbers " corresponding a memory block among the SAN.Shown in accompanying drawing 2b.
For NAS, the virtual machine image data are the image file under the designated store path.Other equipment for example are used to start the physical host of virtual machine, can pass through NFS (NFS, Network File System) and visit treating on the NAS and start virtual machine corresponding virtual machine image file.Shown in accompanying drawing 2c.
The mirror image data of virtual machine VM1 and WM2 is stored among the NAS in table 1, and the mirror image data of virtual machine VM3 is stored among the NAS.
Need to prove: shown in the accompanying drawing 2a is the example that framework is implemented on a kind of cloud computing basis; The computer virus checking and killing method that the embodiment of the invention provides also is applicable to other framework scenes, for example is the corresponding relation of being safeguarded virtual machine sign and mirror image data address by management database in other framework scenes.
Table 1
Figure BDA0000104351840000071
The detail flowchart of the computer virus checking and killing method that accompanying drawing 3 provides for the embodiment of the invention.
Step 301, checking and killing virus startup of server scan task.
Alternatively, the checking and killing virus server periodically starts scan task according to configuration information, for example starts the single pass task weekly.In addition, the time period that can also select most of virtual machines to be in unactivated state starts scan task, for example night 23:00~morning 6:00.The duty of virtual machine can obtain according to historical statistical data.
Step 302, checking and killing virus server read the duty of current each virtual machine from the elasticity computing controller.The duty of virtual machine is for activating, hang up or shutdown.Unactivated state is meant to be hung up or shutdown.
The checking and killing virus server can adopt the mode of parallel processing or serial processing, to each virtual machine execution in step 303~step 311, is that example is illustrated with virtual machine WM1 here.
Step 303, checking and killing virus server judge whether the duty of virtual machine is state of activation, if state of activation is not then carried out checking and killing virus to this virtual machine, if unactivated state not then gets into step 304.
Alternatively, if virtual machine is a state of activation, then the checking and killing virus server can read the duty of this virtual machine once more after waiting for the setting-up time section.Setting-up time section rule of thumb statistics is provided with, and for example waits for 2 hours and reads the duty of this virtual machine afterwards again.
In the present embodiment, the work at present state of WM1 is an off-mode.
Step 304, the checking and killing virus server obtains the memory location of said virtual machine image data.
Alternatively; In the present embodiment, the checking and killing virus server obtains the memory location that elasticity is calculated the mirror image data that virtual machine WM1 is corresponding in the controller management tabulation through carrying out interacting message with the elasticity computing controller; As in the SAN system; The memory location of mirror image data is the address in mirror image data district, and in the NAS system, the memory location of mirror image data is the store path of image file.
When in other forms of cloud computing enforcement framework, can be from being used for safeguarding that the database of virtual machine sign and mirror image data address corresponding relation obtains the memory location of virtual machine image data.
Step 305, the checking and killing virus server is confirmed the type of data format of said virtual machine image data.
Alternatively, the mode of confirming the type of data format of mirror image data includes but not limited to:
Mode one:
According to the memory location of said virtual machine image data, whether test can successfully read the data head of mirror image data to the checking and killing virus server earlier.
If can successfully read the data head of mirror image data,, confirm the type of data format of said mirror image data then according to said data head.For example; Definition according to the mirror image data form; Type of data format field from said memory address in the reading of data head; Field that reads and all types of sign are compared,, confirm that then the virtual machine image type of data is the type identification corresponding type of data format consistent with the field that reads if consistent.The type of mirror image data comprises QCOW (QEMU Copy-on-write), VMDK (VMWare Virtual Machine Disk Format), VHD (Microsoft Virtual Hard Disk format), VDI (Sun xVM VirtualBox Virtual Disk Images) or the like, and a kind of dummy machine system can compatible multiple mirror image data type.
If can not successfully read the data head of mirror image data, then test according to the RAW form whether can successfully resolve said mirror image data, if the parse operation success confirms that then the type of data format of said mirror image data is the RAW form; Otherwise can't identify the mirror image data type, the carry failure.The mode of RAW format mirror image data is identical with the mode of storage data in the personal computer; Promptly are corresponding relations of 1: 1 with the physical disk data; On the physical disk data, do not encapsulate, therefore resolve according to the physical disk data layout, the characteristic of physical disk data layout includes but not limited to: the 0th sector (first 512 bytes) are MBR (MBR; Main Boot Record), there is signature word " 55AA " in this end, sector; With the 0th sector initial position is benchmark, and side-play amount is that the data of 01BEH-01FDH are disk partition tables, wherein comprises the field of describing each partitioned file system banner, or the like.
Mode two:
When virtual machine application according to the user; When creating the corresponding mirror image data of virtual machine instance, the type identification of the mirror image data of each virtual machine is recorded in the database, in the present embodiment; Can type identification be recorded in the managing listings of elasticity computing controller maintenance, as shown in table 2.When the checking and killing virus server need be known certain virtual machine image type of data; When knowing the mirror image data type of virtual machine WM1 like needs; Through carrying out interacting message, obtain the type that elasticity is calculated the mirror image data of storage in the controller management tabulation with the elasticity computing controller.For example the checking and killing virus server sends the type affirmation request message of the memory location " 192.168.0.1:/vmimages/vm1.raw " that carries virtual machine sign " WM1 " or virtual machine image data to the elasticity computing controller; The elasticity computing controller is according to the virtual machine sign of carrying or the memory location of virtual machine image data; Searching and managing tabulation, and the type " raw " of the mirror image data that finds is carried at type confirms to return to the checking and killing virus server in the response message.The checking and killing virus server confirms that from type the type of extracting the mirror image data that carries the response message gets final product.
Table 2
Figure BDA0000104351840000091
In the present embodiment, the mirror image data type of virtual machine WM1 is QCOW.
Step 306, checking and killing virus server are called corresponding carry program carry virtual machine image data according to said type of data format.
In the present embodiment, the checking and killing virus server calls the mirror image data of the corresponding carry program carry WM1 of type of data format QCOW according to the mirror image data type QCOW of WM1.
Existing operating system all provides order or the command history that can realize the carry function mostly, like orders such as the mount in the linux system, kpartx.
In the carry process,, confirm the file system type (being the file system type of virtual machine) that the virtual machine image data are inner according to the corresponding relation of mirror image data type and file system type.The inner file system type of mirror image data can be 16 file allocation table (FAT16; File Allocation Table), FAT32, the second extended file system (EXT2; Second extended file system), the 3rd extended file system (EXT3; Third extended file system), NFS (NTFS; New Technology File System) etc., in the carry process, need to use the corresponding driver of file system type to realize support to file system.
After carry was accomplished, mirror image data was mapped as a driver in the checking and killing virus server file system, and follow-up operation to this driver file is equivalent to the operation to file in the virtual machine.
Behind the mirror image data of checking and killing virus server carry WM1, the mirror image data of WM1 is mapped as driver DriverW1.
Step 307, the driver that the checking and killing virus server is shone upon the virtual machine image data carries out virus scan, obtains scanning result.
Checking and killing virus server operation virus scanning engine, the characteristic according to known viruse in the enterprise-level virus characteristic storehouse scans said driver DriverW1.
Step 308, checking and killing virus server judge in scanning result, whether to find virus, if get into step 309, otherwise get into step 311.
Step 309 is called corresponding antivirus applet and is carried out virus sweep or isolation.
Step 310, the checking and killing virus server notifies the information of scanning result discovery virus to virtual machine user.
For example, the checking and killing virus server sends circular mail to the mailbox of said virtual machine user, carries the information that scanning result is found virus in this circular mail; Perhaps the terminal device to said virtual machine user sends a notification message, and carries the information that scanning result is found virus in this notification message.Wherein, scanning result finds that the information of virus can comprise each viral introduction or the like in the virus tabulation of from scanning result, finding, the viral tabulation.
The qualification of the no sequencing of step 309 and step 310 also can executed in parallel.
Step 311, the mirror image data of cancellation carry virtual machine.
The technical scheme that the embodiment of the invention provides is the mirror image data of carry virtual machine at first, and the driver that shines upon behind the mirror image data carry is carried out virus scan; When scanning result is found virus, call corresponding antivirus applet and carry out virus sweep, thereby realize virtual machine is carried out the purpose of checking and killing virus.Need not in virtual machine, to install antivirus software in this scheme, therefore simplified user's operation greatly, solved the antivirus software version updating and the unmanageable problem of maintenance that are installed in the virtual machine.And can carry out checking and killing virus, thereby guaranteed the coverage rate of checking and killing virus to all virtual machines in the specified scope.
In addition,, with prior art antivirus software is installed in each virtual machine and is compared, practiced thrift storage space owing to only need in the checking and killing virus server, virus scanning engine be installed.Owing to compare with virtual machine, the advantage of checking and killing virus server on handling property and storage space can be supported high-end virus scanning engine and enterprise-level virus characteristic storehouse, thereby improved the effect of checking and killing virus.
Correspondingly, the embodiment of the invention also provides a kind of computer virus checking and killing device, and is as shown in Figure 4, and this device comprises mirror image data acquisition module 401, carry module 402, scanning execution module 403, virus killing execution module 404, and is specific as follows:
Mirror image data acquisition module 401 is used to obtain the memory location of virtual machine image data;
Carry module 402 is used for the memory location according to the virtual machine image data, and the mirror image data of carry virtual machine is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
Scanning execution module 403 is used for after the mirror image data of carry module 402 carry virtual machines, triggers the operation virus scanning engine, and said virtual disk is scanned;
Virus killing execution module 404 is used for then carrying out virus sweep if the scanning result of scanning execution module 403 is found virus.
Alternatively, for the accuracy that guarantees scanning result with reduce the virtual machine Effect on Performance, said computer virus checking and killing device also comprises:
Duty acquisition module 405 is used to obtain virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown; When the work at present state of confirming said virtual machine is unactivated state, trigger the memory location that mirror image data acquisition module 401 obtains said virtual machine image data.
Accompanying drawing 5 is the structural representation of carry module in the said computer virus checking and killing device, and carry module 402 comprises:
Confirm unit 501, be used for confirming said virtual machine image type of data;
Carry unit 502 is used for according to the virtual machine image type of data of confirming that unit 501 is determined, calls the virtual machine image data on the memory location of the corresponding said virtual machine image data of carry program carry.
Please with reference to accompanying drawing 6, for confirming the structural representation of unit 501 in the said computer virus checking and killing device.Confirm that unit 501 specifically comprises:
The first test subelement 601 is used for the memory location according to said virtual machine image data, and whether test can successfully read the data head of mirror image data;
First confirms subelement 602, is used for then according to the type of data format field in the said data head, confirming the type of data format of said mirror image data if the first test subelement 601 can successfully read the data head of mirror image data;
The second test subelement 603 is used for then testing according to the RAW form whether can successfully resolve said mirror image data if the first test subelement 601 can not successfully read the data head of mirror image data;
Second confirms subelement 604, is used for confirming that then the type of data format of said mirror image data is the RAW form if the second test subelement 603 can successfully be resolved said mirror image data.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; This program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.

Claims (11)

1. a computer virus checking and killing method is characterized in that, comprising:
The checking and killing virus server obtains the memory location of virtual machine image data;
Mirror image data according to the memory location carry virtual machine of virtual machine image data is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
The operation virus scanning engine scans said virtual disk; If scanning result is found virus, then carry out virus sweep.
2. the method for claim 1 is characterized in that, said checking and killing virus server obtains also to comprise before the memory location of virtual machine image data:
The checking and killing virus server obtains virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown;
After the work at present state of confirming said virtual machine is unactivated state, get into the step that said checking and killing virus server obtains the memory location of virtual machine image data.
3. method as claimed in claim 2 is characterized in that,
Said checking and killing virus server obtains virtual machine work at present state, and comprising: the checking and killing virus server obtains virtual machine work at present state from the elasticity computing controller;
Said checking and killing virus server obtains the memory location of virtual machine image data, and comprising: the checking and killing virus server obtains the memory location of virtual machine image data from said elasticity computing controller;
Said elasticity computing controller is safeguarded each virtual machine work at present state, and stores the memory location of each virtual machine image data.
4. like claim 1,2 or 3 described methods, it is characterized in that said memory location carry virtual machine image data according to the virtual machine image data comprise:
Confirm said virtual machine image type of data;
According to the virtual machine image type of data, call the virtual machine image data on the memory location of the corresponding said virtual machine image data of carry program carry.
5. method as claimed in claim 4 is characterized in that, said definite said virtual machine image type of data comprises:
According to the memory location of said virtual machine image data, whether test can successfully read the data head of mirror image data;
If can successfully read the data head of mirror image data,, confirm the type of data format of said mirror image data then according to the type of data format field in the said data head;
If can not successfully read the data head of mirror image data, then test according to the RAW form whether can successfully resolve said mirror image data, if can successfully resolve said mirror image data, confirm that then the type of data format of said mirror image data is the RAW form.
6. method as claimed in claim 4 is characterized in that, said definite said virtual machine image type of data comprises:
Send the type of the memory location that carries virtual machine sign or virtual machine image data to the elasticity computing controller and confirm request message;
Receive the type affirmation response message that the elasticity computing controller is returned;
From said type affirmation response message, extract the type of the mirror image data that carries; The type of said mirror image data is that the elasticity computing controller is confirmed the virtual machine sign in the request message according to type, finds the virtual machine sign of when virtual machine image file is created, preserving and the corresponding relation of mirror image data type; Or the elasticity computing controller finds the memory location of the virtual machine image data of preserving during from the virtual machine image data creation and the corresponding relation of mirror image data type according to the memory location in the type affirmation request message.
7. like claim 1,2,3,5 or 6 described methods, it is characterized in that, after said virtual disk is scanned, also comprise: the mirror image data of cancellation carry virtual machine.
8. a computer virus checking and killing device is characterized in that, comprising:
The mirror image data acquisition module is used to obtain the memory location of virtual machine image data;
The carry module is used for the memory location according to the virtual machine image data, and the mirror image data of carry virtual machine is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
The scanning execution module is used for after the mirror image data of carry module carry virtual machine, triggers the operation virus scanning engine, and said virtual disk is scanned;
The virus killing execution module is used for then carrying out virus sweep if the scanning result of scanning execution module is found virus.
9. device as claimed in claim 8 is characterized in that, also comprises:
The duty acquisition module is used to obtain virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown; When the work at present state of confirming said virtual machine is unactivated state, trigger the memory location that the mirror image data acquisition module obtains said virtual machine image data.
10. like claim 8 or 9 described devices, it is characterized in that said carry module comprises:
Confirm the unit, be used for confirming said virtual machine image type of data;
The carry unit is used for according to the virtual machine image type of data of confirming that the unit is determined, calls the virtual machine image data on the memory location of the corresponding said virtual machine image data of carry program carry.
11. device as claimed in claim 10 is characterized in that, said definite unit comprises:
The first test subelement is used for the memory location according to said virtual machine image data, and whether test can successfully read the data head of mirror image data;
First confirms subelement, is used for then according to the type of data format field in the said data head, confirming the type of data format of said mirror image data if the first test subelement can successfully read the data head of mirror image data;
The second test subelement is used for then testing according to the RAW form whether can successfully resolve said mirror image data if the first test subelement can not successfully read the data head of mirror image data;
Second confirms subelement, is used for confirming that then the type of data format of said mirror image data is the RAW form if the second test subelement can successfully be resolved said mirror image data.
CN201110338866.XA 2011-11-01 2011-11-01 Method, system and device for searching and killing computer virus Active CN102419803B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110338866.XA CN102419803B (en) 2011-11-01 2011-11-01 Method, system and device for searching and killing computer virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110338866.XA CN102419803B (en) 2011-11-01 2011-11-01 Method, system and device for searching and killing computer virus

Publications (2)

Publication Number Publication Date
CN102419803A true CN102419803A (en) 2012-04-18
CN102419803B CN102419803B (en) 2014-12-03

Family

ID=45944210

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110338866.XA Active CN102419803B (en) 2011-11-01 2011-11-01 Method, system and device for searching and killing computer virus

Country Status (1)

Country Link
CN (1) CN102419803B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102819470A (en) * 2012-08-13 2012-12-12 广州杰赛科技股份有限公司 Private cloud computing platform-based virtual machine repair method
CN102902925A (en) * 2012-09-29 2013-01-30 北京奇虎科技有限公司 Infected file processing method and system
CN102930208A (en) * 2012-09-29 2013-02-13 北京奇虎科技有限公司 Method and system for processing files affected by virus
CN104298918A (en) * 2014-09-12 2015-01-21 北京云巢动脉科技有限公司 Virus scanning method and system based on data block in virtual machine
CN105007261A (en) * 2015-06-02 2015-10-28 华中科技大学 Security protection method for image file in virtual environment
CN105339925A (en) * 2013-06-18 2016-02-17 国际商业机器公司 Passive monitoring of virtual systems using agent-less, near-real-time indexing
CN105844162A (en) * 2016-04-08 2016-08-10 北京北信源软件股份有限公司 Method for scanning bugs of windows virtual machines under virtualized platform
WO2017028612A1 (en) * 2015-08-18 2017-02-23 中兴通讯股份有限公司 Antivirus method and device for virtual machine
CN106886369A (en) * 2017-01-22 2017-06-23 武汉噢易云计算股份有限公司 A kind of cloud hard disk management method and system based on OpenStack cloud platforms
CN104008338B (en) * 2014-05-08 2017-06-27 北京金山安全软件有限公司 Android malicious program processing method, device and equipment
CN107342963A (en) * 2016-04-28 2017-11-10 中移(苏州)软件技术有限公司 A kind of secure virtual machine control method, system and the network equipment
CN111475807A (en) * 2020-04-02 2020-07-31 亚信科技(成都)有限公司 Detection method and device for movable storage equipment
WO2021189252A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Image security scanning system, method and apparatus, device, and storage medium
CN114282214A (en) * 2021-12-17 2022-04-05 北京天融信网络安全技术有限公司 Virus checking and killing method and device and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098226A (en) * 2006-06-27 2008-01-02 飞塔信息科技(北京)有限公司 Online real-time virus processing system and method
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
CN101827104A (en) * 2010-04-27 2010-09-08 南京邮电大学 Multi anti-virus engine-based network virus joint defense method
CN101977188A (en) * 2010-10-14 2011-02-16 中国科学院计算技术研究所 Malicious program detection system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098226A (en) * 2006-06-27 2008-01-02 飞塔信息科技(北京)有限公司 Online real-time virus processing system and method
US20090158432A1 (en) * 2007-12-12 2009-06-18 Yufeng Zheng On-Access Anti-Virus Mechanism for Virtual Machine Architecture
CN101827104A (en) * 2010-04-27 2010-09-08 南京邮电大学 Multi anti-virus engine-based network virus joint defense method
CN101977188A (en) * 2010-10-14 2011-02-16 中国科学院计算技术研究所 Malicious program detection system

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102819470A (en) * 2012-08-13 2012-12-12 广州杰赛科技股份有限公司 Private cloud computing platform-based virtual machine repair method
CN102902925A (en) * 2012-09-29 2013-01-30 北京奇虎科技有限公司 Infected file processing method and system
CN102930208A (en) * 2012-09-29 2013-02-13 北京奇虎科技有限公司 Method and system for processing files affected by virus
CN102930208B (en) * 2012-09-29 2015-11-25 北京奇虎科技有限公司 A kind of disposal route of file of contaminating and system
CN105339925A (en) * 2013-06-18 2016-02-17 国际商业机器公司 Passive monitoring of virtual systems using agent-less, near-real-time indexing
CN104008338B (en) * 2014-05-08 2017-06-27 北京金山安全软件有限公司 Android malicious program processing method, device and equipment
CN104298918A (en) * 2014-09-12 2015-01-21 北京云巢动脉科技有限公司 Virus scanning method and system based on data block in virtual machine
CN104298918B (en) * 2014-09-12 2018-08-21 北京云巢动脉科技有限公司 A kind of virus scan method and system in virtual machine based on data block
CN105007261A (en) * 2015-06-02 2015-10-28 华中科技大学 Security protection method for image file in virtual environment
WO2017028612A1 (en) * 2015-08-18 2017-02-23 中兴通讯股份有限公司 Antivirus method and device for virtual machine
CN105844162A (en) * 2016-04-08 2016-08-10 北京北信源软件股份有限公司 Method for scanning bugs of windows virtual machines under virtualized platform
CN105844162B (en) * 2016-04-08 2019-03-29 北京北信源软件股份有限公司 A kind of method of windows virtual machine vulnerability scanning under virtual platform
CN107342963A (en) * 2016-04-28 2017-11-10 中移(苏州)软件技术有限公司 A kind of secure virtual machine control method, system and the network equipment
CN106886369A (en) * 2017-01-22 2017-06-23 武汉噢易云计算股份有限公司 A kind of cloud hard disk management method and system based on OpenStack cloud platforms
WO2021189252A1 (en) * 2020-03-24 2021-09-30 深圳市欢太科技有限公司 Image security scanning system, method and apparatus, device, and storage medium
CN111475807A (en) * 2020-04-02 2020-07-31 亚信科技(成都)有限公司 Detection method and device for movable storage equipment
CN114282214A (en) * 2021-12-17 2022-04-05 北京天融信网络安全技术有限公司 Virus checking and killing method and device and electronic equipment

Also Published As

Publication number Publication date
CN102419803B (en) 2014-12-03

Similar Documents

Publication Publication Date Title
CN102419803B (en) Method, system and device for searching and killing computer virus
JP5904514B1 (en) Method of automatically applying an update to a snapshot of a virtual machine, and its computer system and computer system program
US9870288B2 (en) Container-based processing method, apparatus, and system
RU2409838C2 (en) Archiving data in virtual application enviroinment
US8924954B2 (en) Application software installation method and application software installation apparatus
JP6516730B2 (en) Method and apparatus for backing up and restoring applications
US20160182284A1 (en) System and method of performing high availability configuration and validation of virtual desktop infrastructure (vdi)
CN102402446A (en) Application software installation method and application software installation device
WO2012057955A1 (en) Stateful applications operating in a stateless cloud computing environment
CN102999343A (en) Method and device for forbidding self-starting of startup project
CN102207896A (en) Virtual machine crash file generation techniques
CN107577937B (en) Application program protection method and system
JP6288275B2 (en) Virtualization infrastructure management apparatus, virtualization infrastructure management system, virtualization infrastructure management method, and virtualization infrastructure management program
US9424113B2 (en) Virtual appliance deployment
US9983988B1 (en) Resuming testing after a destructive event
CN110727547A (en) System and method for protecting Docker application container
EP3029564B1 (en) System and method for providing access to original routines of boot drivers
CN103019706A (en) Method and device for processing startup item
CN107908957B (en) Safe operation management method and system of intelligent terminal
CN112612417A (en) Data migration method, device, equipment and storage medium
CN114443295A (en) Heterogeneous cloud resource management scheduling method, device and system
US9501316B2 (en) Instantiating virtual appliances of a storage array
CN105653352B (en) The method of operating system virtual emulation evidence obtaining
US9201699B2 (en) Decommissioning virtual appliances
CN117311627A (en) Container rolling thermal expansion system, method and medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent of invention or patent application
CB02 Change of applicant information

Address after: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611721 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611721 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D

Applicant before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221012

Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041

Patentee after: Chengdu Huawei Technologies Co.,Ltd.

Address before: 611721 Area D, Building 5, High-tech Park, University of Electronic Science and Technology of China, No. 88 Tianchen Road, Qingshuihe Area, Western Park, High-tech Zone, Chengdu, Sichuan Province

Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd.

TR01 Transfer of patent right