Embodiment
Prior art is operated the problem comparatively loaded down with trivial details, that the checking and killing virus risk is bigger except there being the user; Because it is unpractical requiring all virtual machine user all antivirus software to be installed initiatively consciously; Therefore also there is the unmanageable problem of virus killing coverage rate; In case certain customers do not install antivirus software on request, still can cause computer virus in network, to be propagated; In virtual machine, installed under the scene of antivirus software in addition, upgraded and safeguard that the antivirus software in each virtual machine also is comparatively restive.
For solving prior art problems, the embodiment of the invention provides a kind of checking and killing method and killing system of computer virus.In the present embodiment, computer virus is a generalized concept, comprises various malicious codes such as wooden horse, rogue program.
Carry out detailed elaboration below in conjunction with each accompanying drawing to the main realization principle of embodiment of the invention technical scheme, embodiment and to the beneficial effect that should be able to reach.
As shown in Figure 1, the main realization principle process of the embodiment of the invention is following:
Step 10, the checking and killing virus server obtains the memory location of virtual machine image data.
Wherein, mirror image data is meant the static store form of virtual machine instance, wherein comprises VME operating system file and user file etc.In cloud computing infrastructure framework, the storage resources of virtual machine possibly be distributed in the different physical entities with the operation resource.When distributing certain user to use a virtual machine, the physical host that is used to start virtual machine realizes starting the purpose of virtual machine through loading the mirror image data of this virtual machine.
The storage mode of load data in the mirror image data (comprising VME operating system file and user file etc.) is identical with the storage mode of data in the personal computer, and the Field Definition etc. of physical disk sector that promptly is used for storing data is identical.Difference is that different virtual machine manufacturers encapsulates on the basis of load data, increased data head, thereby generated new mirror image data; The manufacturer that perhaps has has also carried out processing such as compression to mirror image data.
Step 20, checking and killing virus server are mapped as a virtual disk in the checking and killing virus server file system according to the mirror image data of the memory location carry virtual machine of virtual machine image data with said mirror image data.
Carry specifically, in different operating system, the result's of carry operation form also can be different.In the present embodiment, virtual disk is meant the storage object that can be identified by the operating system of checking and killing virus server.
At the checking and killing virus server is under the situation of Windows series of operating, and after carry was accomplished, mirror image data was mapped as a driver in the checking and killing virus server file system; At the checking and killing virus server is under the situation of Linux, UNIX series of operating, and after carry was accomplished, mirror image data was mapped as a block device in the checking and killing virus server file system.No matter be driver or block device, follow-up principle of operation is similar basically.
Step 30, checking and killing virus server operation virus scanning engine scans said driver or block device; If scanning result is found virus, then carry out virus sweep.
Alternatively, in case because virtual machine is in state of activation (being under the scene that is activated of virtual machine), mirror image data maybe be by real time modifying; If this moment the carry virtual machine mirror image data; And driver or the block device that shines upon behind the carry carried out virus scan, maybe be with guaranteeing that scanning result can correctly reflect the safety case of the mirror image data behind the real time modifying, also may impact the performance of virtual machine in addition; Therefore before step 10, also comprise:
The checking and killing virus server obtains virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown; The work at present state of confirming said virtual machine is a unactivated state.
That is to say that it is the virtual machine of unactivated state that the checking and killing virus server is selected the work at present state, execution in step 10~step 30.
Further, in step 20, after the checking and killing virus server obtains the memory location of virtual machine image data, confirm the Format Type of mirror image data, call corresponding carry program carry virtual machine image data according to the type of mirror image data again.Concrete horizontal glass really will be elaborated among the embodiment as the mode of data type in the back.
Alternatively; In time know the safety case of virtual machine in order to make the user; Particularly the virtual machine user of scanning result discovery virus is in time known the safety case of virtual machine, after step 30, also comprises: the checking and killing virus server notifies the information of scanning result discovery virus to virtual machine user.For example, the checking and killing virus server sends circular mail to the mailbox of said virtual machine user, carries the information that scanning result is found virus in this circular mail; Perhaps the terminal device to said virtual machine user sends a notification message, and carries the information that scanning result is found virus in this notification message.
To introduce an embodiment in detail and come the main realization principle of the inventive method is carried out detailed elaboration and explanation according to foregoing invention principle of the present invention below.
Accompanying drawing 2a is the deployed environment synoptic diagram of the computer virus checking and killing system that provides of the embodiment of the invention.Comprise at least one checking and killing virus server in this system, at least one elasticity computing controller, at least one physical host and distributed storage device.Wherein, The elasticity computing controller is a core ingredient in the existing cloud computing infrastructure framework; It is the maincenter of managing memory source, computational resource and other resources; Wherein store the information such as memory address of the corresponding mirror image data of sign, each virtual machine instance of the physical host that is used to start each virtual machine in the managing listings of storage, as shown in table 1.When distributing certain user to use a virtual machine, through reading this managing listings, the physical host that indication is used to start this virtual machine reads mirror image data and loads from the memory address of these virtual machine image data, thereby starts virtual machine.
In the present embodiment; The mirror image data of each virtual machine is stored in the distributed storage device; Wherein distributed storage device describes for example with storage area network (SAN, Storage Area Network) and network attached storage (NAS, Network Attached Storage) respectively.
The storage mode of mirror image data in distributed storage device is relevant with the type of distributed storage device.For example for SAN, the virtual machine image data are the hard disk sector data in the designated memory space (being the virtual machine image data field).Other equipment; For example be used to start the physical host of virtual machine; Can be used in the access request mode of carrying " IP address+port numbers " and visit treating on the SAN and start virtual machine corresponding virtual machine mirror image data district, " IP address+port numbers " corresponding a memory block among the SAN.Shown in accompanying drawing 2b.
For NAS, the virtual machine image data are the image file under the designated store path.Other equipment for example are used to start the physical host of virtual machine, can pass through NFS (NFS, Network File System) and visit treating on the NAS and start virtual machine corresponding virtual machine image file.Shown in accompanying drawing 2c.
The mirror image data of virtual machine VM1 and WM2 is stored among the NAS in table 1, and the mirror image data of virtual machine VM3 is stored among the NAS.
Need to prove: shown in the accompanying drawing 2a is the example that framework is implemented on a kind of cloud computing basis; The computer virus checking and killing method that the embodiment of the invention provides also is applicable to other framework scenes, for example is the corresponding relation of being safeguarded virtual machine sign and mirror image data address by management database in other framework scenes.
Table 1
The detail flowchart of the computer virus checking and killing method that accompanying drawing 3 provides for the embodiment of the invention.
Step 301, checking and killing virus startup of server scan task.
Alternatively, the checking and killing virus server periodically starts scan task according to configuration information, for example starts the single pass task weekly.In addition, the time period that can also select most of virtual machines to be in unactivated state starts scan task, for example night 23:00~morning 6:00.The duty of virtual machine can obtain according to historical statistical data.
Step 302, checking and killing virus server read the duty of current each virtual machine from the elasticity computing controller.The duty of virtual machine is for activating, hang up or shutdown.Unactivated state is meant to be hung up or shutdown.
The checking and killing virus server can adopt the mode of parallel processing or serial processing, to each virtual machine execution in step 303~step 311, is that example is illustrated with virtual machine WM1 here.
Step 303, checking and killing virus server judge whether the duty of virtual machine is state of activation, if state of activation is not then carried out checking and killing virus to this virtual machine, if unactivated state not then gets into step 304.
Alternatively, if virtual machine is a state of activation, then the checking and killing virus server can read the duty of this virtual machine once more after waiting for the setting-up time section.Setting-up time section rule of thumb statistics is provided with, and for example waits for 2 hours and reads the duty of this virtual machine afterwards again.
In the present embodiment, the work at present state of WM1 is an off-mode.
Step 304, the checking and killing virus server obtains the memory location of said virtual machine image data.
Alternatively; In the present embodiment, the checking and killing virus server obtains the memory location that elasticity is calculated the mirror image data that virtual machine WM1 is corresponding in the controller management tabulation through carrying out interacting message with the elasticity computing controller; As in the SAN system; The memory location of mirror image data is the address in mirror image data district, and in the NAS system, the memory location of mirror image data is the store path of image file.
When in other forms of cloud computing enforcement framework, can be from being used for safeguarding that the database of virtual machine sign and mirror image data address corresponding relation obtains the memory location of virtual machine image data.
Step 305, the checking and killing virus server is confirmed the type of data format of said virtual machine image data.
Alternatively, the mode of confirming the type of data format of mirror image data includes but not limited to:
Mode one:
According to the memory location of said virtual machine image data, whether test can successfully read the data head of mirror image data to the checking and killing virus server earlier.
If can successfully read the data head of mirror image data,, confirm the type of data format of said mirror image data then according to said data head.For example; Definition according to the mirror image data form; Type of data format field from said memory address in the reading of data head; Field that reads and all types of sign are compared,, confirm that then the virtual machine image type of data is the type identification corresponding type of data format consistent with the field that reads if consistent.The type of mirror image data comprises QCOW (QEMU Copy-on-write), VMDK (VMWare Virtual Machine Disk Format), VHD (Microsoft Virtual Hard Disk format), VDI (Sun xVM VirtualBox Virtual Disk Images) or the like, and a kind of dummy machine system can compatible multiple mirror image data type.
If can not successfully read the data head of mirror image data, then test according to the RAW form whether can successfully resolve said mirror image data, if the parse operation success confirms that then the type of data format of said mirror image data is the RAW form; Otherwise can't identify the mirror image data type, the carry failure.The mode of RAW format mirror image data is identical with the mode of storage data in the personal computer; Promptly are corresponding relations of 1: 1 with the physical disk data; On the physical disk data, do not encapsulate, therefore resolve according to the physical disk data layout, the characteristic of physical disk data layout includes but not limited to: the 0th sector (first 512 bytes) are MBR (MBR; Main Boot Record), there is signature word " 55AA " in this end, sector; With the 0th sector initial position is benchmark, and side-play amount is that the data of 01BEH-01FDH are disk partition tables, wherein comprises the field of describing each partitioned file system banner, or the like.
Mode two:
When virtual machine application according to the user; When creating the corresponding mirror image data of virtual machine instance, the type identification of the mirror image data of each virtual machine is recorded in the database, in the present embodiment; Can type identification be recorded in the managing listings of elasticity computing controller maintenance, as shown in table 2.When the checking and killing virus server need be known certain virtual machine image type of data; When knowing the mirror image data type of virtual machine WM1 like needs; Through carrying out interacting message, obtain the type that elasticity is calculated the mirror image data of storage in the controller management tabulation with the elasticity computing controller.For example the checking and killing virus server sends the type affirmation request message of the memory location " 192.168.0.1:/vmimages/vm1.raw " that carries virtual machine sign " WM1 " or virtual machine image data to the elasticity computing controller; The elasticity computing controller is according to the virtual machine sign of carrying or the memory location of virtual machine image data; Searching and managing tabulation, and the type " raw " of the mirror image data that finds is carried at type confirms to return to the checking and killing virus server in the response message.The checking and killing virus server confirms that from type the type of extracting the mirror image data that carries the response message gets final product.
Table 2
In the present embodiment, the mirror image data type of virtual machine WM1 is QCOW.
Step 306, checking and killing virus server are called corresponding carry program carry virtual machine image data according to said type of data format.
In the present embodiment, the checking and killing virus server calls the mirror image data of the corresponding carry program carry WM1 of type of data format QCOW according to the mirror image data type QCOW of WM1.
Existing operating system all provides order or the command history that can realize the carry function mostly, like orders such as the mount in the linux system, kpartx.
In the carry process,, confirm the file system type (being the file system type of virtual machine) that the virtual machine image data are inner according to the corresponding relation of mirror image data type and file system type.The inner file system type of mirror image data can be 16 file allocation table (FAT16; File Allocation Table), FAT32, the second extended file system (EXT2; Second extended file system), the 3rd extended file system (EXT3; Third extended file system), NFS (NTFS; New Technology File System) etc., in the carry process, need to use the corresponding driver of file system type to realize support to file system.
After carry was accomplished, mirror image data was mapped as a driver in the checking and killing virus server file system, and follow-up operation to this driver file is equivalent to the operation to file in the virtual machine.
Behind the mirror image data of checking and killing virus server carry WM1, the mirror image data of WM1 is mapped as driver DriverW1.
Step 307, the driver that the checking and killing virus server is shone upon the virtual machine image data carries out virus scan, obtains scanning result.
Checking and killing virus server operation virus scanning engine, the characteristic according to known viruse in the enterprise-level virus characteristic storehouse scans said driver DriverW1.
Step 308, checking and killing virus server judge in scanning result, whether to find virus, if get into step 309, otherwise get into step 311.
Step 309 is called corresponding antivirus applet and is carried out virus sweep or isolation.
Step 310, the checking and killing virus server notifies the information of scanning result discovery virus to virtual machine user.
For example, the checking and killing virus server sends circular mail to the mailbox of said virtual machine user, carries the information that scanning result is found virus in this circular mail; Perhaps the terminal device to said virtual machine user sends a notification message, and carries the information that scanning result is found virus in this notification message.Wherein, scanning result finds that the information of virus can comprise each viral introduction or the like in the virus tabulation of from scanning result, finding, the viral tabulation.
The qualification of the no sequencing of step 309 and step 310 also can executed in parallel.
Step 311, the mirror image data of cancellation carry virtual machine.
The technical scheme that the embodiment of the invention provides is the mirror image data of carry virtual machine at first, and the driver that shines upon behind the mirror image data carry is carried out virus scan; When scanning result is found virus, call corresponding antivirus applet and carry out virus sweep, thereby realize virtual machine is carried out the purpose of checking and killing virus.Need not in virtual machine, to install antivirus software in this scheme, therefore simplified user's operation greatly, solved the antivirus software version updating and the unmanageable problem of maintenance that are installed in the virtual machine.And can carry out checking and killing virus, thereby guaranteed the coverage rate of checking and killing virus to all virtual machines in the specified scope.
In addition,, with prior art antivirus software is installed in each virtual machine and is compared, practiced thrift storage space owing to only need in the checking and killing virus server, virus scanning engine be installed.Owing to compare with virtual machine, the advantage of checking and killing virus server on handling property and storage space can be supported high-end virus scanning engine and enterprise-level virus characteristic storehouse, thereby improved the effect of checking and killing virus.
Correspondingly, the embodiment of the invention also provides a kind of computer virus checking and killing device, and is as shown in Figure 4, and this device comprises mirror image data acquisition module 401, carry module 402, scanning execution module 403, virus killing execution module 404, and is specific as follows:
Mirror image data acquisition module 401 is used to obtain the memory location of virtual machine image data;
Carry module 402 is used for the memory location according to the virtual machine image data, and the mirror image data of carry virtual machine is mapped as a virtual disk in the checking and killing virus server file system with said mirror image data;
Scanning execution module 403 is used for after the mirror image data of carry module 402 carry virtual machines, triggers the operation virus scanning engine, and said virtual disk is scanned;
Virus killing execution module 404 is used for then carrying out virus sweep if the scanning result of scanning execution module 403 is found virus.
Alternatively, for the accuracy that guarantees scanning result with reduce the virtual machine Effect on Performance, said computer virus checking and killing device also comprises:
Duty acquisition module 405 is used to obtain virtual machine work at present state, and the duty of said virtual machine is for activating, hang up or shutdown; When the work at present state of confirming said virtual machine is unactivated state, trigger the memory location that mirror image data acquisition module 401 obtains said virtual machine image data.
Accompanying drawing 5 is the structural representation of carry module in the said computer virus checking and killing device, and carry module 402 comprises:
Confirm unit 501, be used for confirming said virtual machine image type of data;
Carry unit 502 is used for according to the virtual machine image type of data of confirming that unit 501 is determined, calls the virtual machine image data on the memory location of the corresponding said virtual machine image data of carry program carry.
Please with reference to accompanying drawing 6, for confirming the structural representation of unit 501 in the said computer virus checking and killing device.Confirm that unit 501 specifically comprises:
The first test subelement 601 is used for the memory location according to said virtual machine image data, and whether test can successfully read the data head of mirror image data;
First confirms subelement 602, is used for then according to the type of data format field in the said data head, confirming the type of data format of said mirror image data if the first test subelement 601 can successfully read the data head of mirror image data;
The second test subelement 603 is used for then testing according to the RAW form whether can successfully resolve said mirror image data if the first test subelement 601 can not successfully read the data head of mirror image data;
Second confirms subelement 604, is used for confirming that then the type of data format of said mirror image data is the RAW form if the second test subelement 603 can successfully be resolved said mirror image data.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to accomplish through program; This program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.