[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102982284A - Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing - Google Patents

Scanning equipment, cloud management equipment and method and system used for malicious program checking and killing Download PDF

Info

Publication number
CN102982284A
CN102982284A CN2012105061375A CN201210506137A CN102982284A CN 102982284 A CN102982284 A CN 102982284A CN 2012105061375 A CN2012105061375 A CN 2012105061375A CN 201210506137 A CN201210506137 A CN 201210506137A CN 102982284 A CN102982284 A CN 102982284A
Authority
CN
China
Prior art keywords
scanning
program file
information
server
specified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012105061375A
Other languages
Chinese (zh)
Other versions
CN102982284B (en
Inventor
江爱军
刘智锋
孔庆龙
张波
姚彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201210506137.5A priority Critical patent/CN102982284B/en
Publication of CN102982284A publication Critical patent/CN102982284A/en
Priority to PCT/CN2013/088196 priority patent/WO2014082599A1/en
Priority to US14/648,298 priority patent/US9830452B2/en
Application granted granted Critical
Publication of CN102982284B publication Critical patent/CN102982284B/en
Priority to US15/823,534 priority patent/US20180082061A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses scanning equipment, cloud management equipment and method and system used for malicious program checking and killing. The cloud management equipment used for the malicious program checking and killing comprises a second transmission interface, a first indicator, a first matcher and a second indicator, wherein the first indicator is configured to generate a first scanning content indication according to the characteristics of a new malicious program and system environment information transmitted by client equipment; the first matcher is configured to obtain characteristic data of an unknown program file through the second transmission interface and perform matching in characteristic data recording of the known malicious program according to the characteristic data, wherein the unknown program file is transmitted by the client equipment; and the second indicator is configured to generate a second scanning content indication when the first matcher fails to match up the known recording, wherein the second scanning content indication refers to the scanning of the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and the second scanning content indication is transmitted to the client equipment through the second transmission interface.

Description

Scanning device, cloud management device, method and system for malicious program searching and killing
Technical Field
The invention relates to the technical field of network information security, in particular to scanning and cloud management equipment, a scanning and cloud management method and a scanning and cloud management system for searching and killing malicious programs.
Background
Most of existing malicious program searching and killing methods are that a local engine scans according to a built-in scanning position, characteristics such as MD5 and the like of unknown program files which cannot be identified locally are sent to a cloud server, the cloud server compares the characteristics of the program files sent by a client and judges whether the programs are malicious programs or not, and if the programs are the malicious programs, the local engine of a client clears the malicious programs according to a built-in local clearing logic of the client. However, in the continuing fight of malware against security software blanching, malware authors always find new points available to the operating system and points ignored by the security software to bypass security software detection and killing. At this time, after a security vendor takes a sample of the malicious program, the security vendor usually needs to modify a local engine to check and kill the new malicious program, and the malicious program is spread in a large area during the period from taking the sample to manual analysis and then upgrading a new version engine program file to all clients.
Disclosure of Invention
In view of the above problems, the present invention is proposed to provide a scanning device and a corresponding scanning method for malicious program searching and killing, a cloud management device and a corresponding cloud management method for malicious program searching and killing, and a malicious program scanning system and a scanning method based on cloud security, which overcome the above problems or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a scanning apparatus for malicious program detection, including: the first transmission interface is configured to transmit information to the server-side equipment and receive the information transmitted by the server-side equipment; the environment information reader is configured to read the current system environment information of the client device and transmit the current system environment information to the server device through the first transmission interface; the first scanner is configured to obtain a first scanning content indication judged by the server-side equipment at least based on the system environment information through the first transmission interface, scan a specified position in the first scanning content indication, and transmit at least the scanned feature data of the unknown program file to the server-side equipment through the first transmission interface; and the second scanner is configured to obtain a second scanning content indication transmitted by the server-side equipment through the first transmission interface, wherein the second scanning content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and scanning is carried out according to the second scanning content indication.
According to another aspect of the present invention, there is provided a cloud management device for searching and killing a malicious program, including: a second transmission interface configured to transmit information to the client device and receive information transmitted by the client device; a first indicator configured to generate a first scanning content indication according to characteristics of a new malicious program and system environment information transmitted by the client device, wherein the first scanning content indication at least comprises characteristic data for scanning contents of a specified position and informing the scanned unknown program file, and transmit the first scanning content indication to the client device through a second transmission interface; the first matcher is configured to obtain the characteristic data of the unknown program file transmitted by the client equipment through a second transmission interface, and match the characteristic data in a known malicious program characteristic data record according to the characteristic data; and a second indicator configured to generate a second scanned content indication when the first matcher fails to match a known record, the second scanned content indication including scanning specified attributes of the unknown program file and/or specified attributes of a context environment of the unknown program file and transmitting to the client device through the second transmission interface.
According to another aspect of the invention, a malicious program scanning system based on cloud security is provided, and the system comprises any scanning device for malicious program searching and killing as above and any cloud management device for malicious program searching and killing as above.
According to another aspect of the present invention, there is provided a cloud management method for malicious program searching and killing, including: generating a first scanning content instruction according to the characteristics of the newly generated malicious program and system environment information transmitted by the client device, wherein the first scanning content instruction at least comprises characteristic data for scanning the content of a specified position and informing the scanned unknown program file, and transmitting the first scanning content instruction to the client device; acquiring characteristic data of an unknown program file transmitted by client equipment, and matching in a known malicious program searching and killing database according to the characteristic data; and when the known record cannot be matched according to the feature data of the unknown program file, generating a second scanned content indication, wherein the second scanned content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and transmitting the second scanned content indication to the client device.
According to another aspect of the present invention, there is provided a method for scanning malicious programs based on cloud security, including: the client equipment reads the current system environment information and transmits the current system environment information to the server equipment; the server-side equipment generates a first scanning content instruction according to the characteristics of the new malicious program and system environment information transmitted by the client-side equipment, wherein the first scanning content instruction at least comprises characteristic data for scanning the content at a specified position and informing the scanned unknown program file, and transmits the first scanning content instruction to the client-side equipment; the client device scans according to the first scanning content indication and at least transmits the scanned feature data of the unknown program file to the server device; the server-side equipment matches in a known malicious program searching and killing database according to the feature data of the unknown program file; when the known record cannot be matched according to the feature data of the unknown program file, the server-side equipment generates a second scanning content instruction, the second scanning content instruction comprises a step of scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and the second scanning content instruction is transmitted to the client-side equipment; the client device scans according to the second scanning content indication.
According to the embodiment provided by the invention, when the unknown program file cannot be judged to be a malicious program or cannot find an accurate repair scheme only through the basic characteristic data (such as the file name, the MD5, the SHA1 or other characteristics calculated according to the file content) of the unknown program file, the client device can be further required to scan the specified attributes of the signature, the version and the like of the unknown program file and/or the attributes of the context environment of the unknown program file to further judge, so that the client can be more accurately judged to be unable to determine whether the unknown program file is safe. By adopting the scheme, the cloud server timely issues personalized scanning content, and the searching and killing method is dynamically acquired from the server side according to the attributes of the program file and the attributes of the context environment where the program file is located, so that the condition that the newly-born malicious program can be detected and eliminated only by upgrading the local feature library and the engine program is avoided, the attack speed on the newly-born malicious program is accelerated, and the rapid spread of the newly-born malicious program is effectively restrained.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a cloud security based malware scanning system according to one embodiment of the present invention;
FIG. 2 shows a flowchart of a malicious program scanning method based on cloud security according to one embodiment of the invention, and
fig. 3 is a flowchart illustrating a malicious program searching and killing method based on cloud security according to another embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the computer system/server include, but are not limited to: personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, networked personal computers, minicomputer systems, mainframe computer systems, distributed cloud computing environments that include any of the above, and the like.
The computer system/server may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
Referring to fig. 1, a malicious program scanning system based on cloud security according to an embodiment of the present invention is shown, including a scanning device 110 for malicious program searching and killing, and a cloud management device 210 for malicious program searching and killing, where the scanning device 110 may be disposed in a client, such as a client device 100, and the cloud management device 210 may be disposed in a server, such as a server device 200. The scanning device 110 may communicate with the cloud management device 210, and specifically, the first transmission interface 112 in the scanning device 110 may transmit information to the server-side device 200 and receive information transmitted by the server-side device 200; the second transmission interface 218 of the cloud management device can transmit information to the client device 100 and receive information transmitted by the client device 100. The scanning device 110 may include, among other things, an environmental information reader 112, a first scanner 114, a second scanner 116, and a first transmission interface 118. The cloud management device 210 may include a first indicator 212, a first matcher 214, a second indicator 216, and a second transmission interface 218.
First, the environment information reader 112 reads the current system environment information of the client device 100 and transmits the system environment information to the second transmission interface 218 of the server device 200 through the first transmission interface 118. The current environment system information of the client device 100 may include any one or more of version information of an operating system, system patch installation information, software installation information, driver installation information, and active process and service information. There are many operating systems, such as Windows 98, Windows2003, Windows XP, and Windows Vista, and the version information corresponding to different operating systems is different, so that the server-side device 200 can know what specific version of operating system the client device 100 currently runs through according to the version information of the operating system. The active process is a process running in the system, and various process information running in the system, identifiers related to the process, a user name, a cpu occupancy rate, a memory occupancy rate, description information and the like can be inquired in the system by calling various means such as a corresponding Application Programming Interface (API) function and the like. After the client device 100 initializes the local engine and the network environment, the environment information reader 112 may read the current system environment information and transmit it to the server device 200.
After receiving the current system environment information of the client device 100, the second transmission interface 218 in the cloud management device 210 in the server-side device 200 transmits the current system environment information to the first indicator 212, and the first indicator 212 generates a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device 100. The characteristics of the new malicious programs may be various, for example, feature information that the new malicious programs are hidden and/or attacked by using specific locations, which is analyzed according to the prevalence trend of the latest malicious programs, such as locations that the new malicious programs commonly use, for example, an installation directory of a certain game, an installation directory of common software, certain specific registry entries, and the like. Further, the server device 200 may provide a personalized scan content indication, i.e., a first scan content indication, for the client device according to the hidden and/or attack position generally used by the new malicious program and by combining the current system environment information reported by the client device. For example, when it is found through the software installation information reported by the client device 100 that a certain game software is installed in the client device 100, and it is known from the characteristics of a new malware that many current malware are hidden or maliciously replaced files by using the installation directory of the game software, the server device 200 will request the client device 100 to scan the contents in the installation directory of the game in the first scanning content indication, so as to find suspicious unknown program files in the client device 100. It can be seen that, because the first scanning content indication is not only based on the characteristics of the new malicious program grasped by the server, but also combined with the specific system environment information of the client device 100, the first scanning content indication is personalized and targeted, and the first scanning content indication issued for different client devices 100 is often different.
The first scanning content indication at least includes characteristic data for scanning the content at the designated location and requiring to inform the scanned unknown program file, specifically, the first scanning content indication may be a piece of text or a script generated according to the characteristics of the new malicious program and the current system environment information of the client device 100, that is, the indication may inform the client device 100 of what content needs to be scanned and what scanning results are reported.
It should be noted that the first scanning content indication may be an indication without any condition attached, or may be an indication with a condition. If the indication is conditional, the scanning device 110 in the client device 100 scans according to the first scanning content indication only if a preset condition is met. The first scanning indication may be accompanied by a number of conditions, such as, but not limited to, one or more of the following: specifying whether a file exists, specifying whether a directory exists, whether an attribute of a program file satisfies a specified condition (such as whether message digest MD5 is a specified value), specifying whether a registry key exists, specifying whether a registry key value exists, specifying whether a content of a registry key satisfies a specified condition, specifying whether a content of a registry key value satisfies a specified condition (such as whether it contains or equals a specific character string or a certain value), specifying whether a process exists, specifying whether a service satisfies a specified condition (such as whether it is a specific service name, a specific service description, or a specific display name), and the like.
After the first indicator 212 generates the first scanning content indication, the server transmits the first scanning content indication to the first transmission interface 118 in the client device 100 through the second transmission interface 218.
Then, the first transmission interface 118 of the scanning device 110 located in the client device 100 informs the first scanner 114 of the received first scanning content indication determined by the server device 200 based on at least the system environment information. Further, the first scanner 114 scans a specified position in the first scan content indication. As mentioned above, the first scanning content indication may be a conditional indication, or referred to as a scanning condition, and the first scanner 114 needs to first determine whether the scanning condition, such as those optional conditions mentioned above, accompanied by the first scanning content indication is satisfied. When the first scanner 114 determines that the condition accompanying the first scan content is satisfied, the designated position in the first scan content indication is scanned. Of course, if the first scan content indication is not a conditional indication, the first scanner 114 may scan according to the scan position indicated in the first scan content without first determining.
Optionally, in addition to the personalized scan performed in the client device 100 as instructed by the first scan content, the first scanner 114 may perform a regular scan on a scan location built into the local engine of the client device 100.
After the first scanner 114 completes scanning, it will find the unknown program file and then extract the feature data of the unknown program file, which may be of many kinds, such as one or more of the following information: data calculated according to a specific algorithm (such as MD5, SHA1 or other algorithms) for all or part of the key content of an unknown program file (i.e., extracting a part of the content from the file), and file names, etc. These characteristic data of the program file can be understood as basic attribute information of the program file. After obtaining the feature data of the unknown program file, the first scanner 114 transmits the feature data of the unknown program file to the second transmission interface 218 in the server-side device 200 through the first transmission interface 118.
Furthermore, the second transmission interface 218 of the server provides the received feature data of the unknown program file to the first matcher 214, and the first matcher 214 performs matching in a known malicious program searching and killing database according to the feature data, records some feature information of the malicious program in the database, and may also record judgment logic for judging whether the malicious program is the malicious program, and possible searching and killing methods (such as repair logic), and the like. The characteristics of the malicious program may include many pieces of information, such as file name, digest of the program file, file size, signature information, version information, and other attribute information of the file, and may further include context environment attributes of the program file, such as a directory where the file is located, a start position in a registry, and attributes of other files in the same directory or in a specified directory. Because the existing malicious program is complex, whether the existing malicious program is a malicious program cannot be accurately judged only by one or two characteristics, comprehensive judgment according to various characteristics is needed under many conditions, and the logic for comprehensively judging whether an unknown program file is a malicious program is the judgment logic. The killing method includes, but is not limited to, scanning/determining and repairing operations. Because the storage capacity and the calculation amount of the server side, the capability of collecting malicious program feature information, and the updating speed are far higher than those of the client side, when the client side device 100 is based on an unknown program file that cannot be determined by the local engine, the server side device 200 can be determined according to a known database.
If the first matcher 214 successfully matches the known malicious program searching and killing database, that is, can determine whether the unknown program file is a malicious program, optionally, some cases may also match corresponding repair logic, the determination result and the corresponding repair logic may be fed back to the first transmission interface 118 of the client device 100 through the second transmission interface 218. Optionally, the client device 100 further includes a killer, and the first transmission interface 118 in the client device 100 informs the killer of a determination result and a repair logic that the server-side device 200 determines whether the server-side device is a malicious program based on the characteristics of the unknown program file, and the killer executes a corresponding operation. For example, if the unknown program file is found to be a malicious program as a result of the determination, the killer performs the repair processing on the unknown program file according to the repair logic returned by the server-side device 200. Repair processes include, but are not limited to, deleting specified registry keys/values, modifying registry keys/values to specified content, deleting specified system service items, repairing/deleting specified program files, and the like.
Specifically, when a specific program file is repaired, a plurality of repair schemes are provided according to different types of files to be repaired. For example, some files needing to be repaired are system files, some are program files of common software, and some are general files. The basic principle of repairing the program files is similar, and generally, the server side performs matching in a cloud database according to some attribute information of the program files to be repaired by the client side, searches whether matched program files without virus infection exist or not, and provides the matched program files with virus infection for the client side to replace if the matched program files exist, so that the repair is completed. Different matching conditions can be set according to actual requirements when different files are matched specifically, for example, if the files are system files, various attribute information (such as file names, version information and the like) of the files can be required to be all consistent, and the matching is successful, namely, the replacement files for repairing are successfully found; for general files which are not in the system, if the basic version or the standard version is stored in the cloud database, the matching can be considered to be successful. In addition, even if the file is a system file or a general file that is not a system file, different matching conditions may be set according to different actual application environments of the file, different requirements, or different operating systems. For example, it may be that a certain system file requires all of the attributes such as the file name and version information to be consistent before matching is successful, but another system file only requires the file name to be consistent and the version to be the basic version or the standard version, and thus matching is successful.
In the following, how to replace the program file in the repair process is described in detail by taking an example that a common software is damaged by a trojan horse. For example, after a Trojan destroys a program file of some common software, the information of the original program file is not available. In this case, the server-side device 200 may know which replacement files need to be provided for the client device 100 through information about the software, such as a software name, a version of a program file, a directory, and the like, previously provided by the client device 100, and then match the information in the cloud database according to the file name, the version, and the like, find out an uninfected virus and provide the matched replacement file to the client device 100, and then the client device 100 replaces the originally damaged program file with the uninfected virus and the program file consistent with the local computer, which are provided by the server-side device 200.
If the first matcher 214 fails to match successfully in the known malware database, that is, if the unknown program file cannot be matched accurately according to the feature data of the unknown program file, the second indicator 216 is notified, and the second indicator 216 continues to generate the second scanning content indication according to the basic information provided by the feature data of the unknown program file and the characteristics of the known new malware. Because the first indicator already knows the basic attribute information such as the characteristic data of the unknown program file, and then combines the characteristics of the current malicious program, such as what characteristics the unknown program file generally has if the unknown program file is a malicious program, for example, the signature information of the unknown program file may not be a specified name, and the attribute of other files in the directory or related directory where the unknown program file is located may be a specified attribute, and so on.
In particular, the second scan content indication includes scanning for specified attributes of the unknown program file and/or specified attributes of the context environment of the unknown program file. For example, the second scan content indication may only require the client device 100 to scan and report the specified attribute of the unknown program file, may only require the client device 100 to scan and report the specified attribute of the context environment of the unknown program file, and may also require the client device 100 to report other specified attributes and the specified attribute of the context environment together.
It should be noted that the specified attributes of the unknown program file include, but are not limited to, one or more of the following: characteristic data, file size, security level, signature information, version information, and the like. It should be noted that although the client device 100 reports the basic attribute of the feature data of the unknown program file after scanning according to the first scanning content indication of the server, since the client device 100 and the server 200 may not be connected for a long time, when the subsequent client device 100 reports the specified attribute information of the unknown program file after scanning according to the second scanning content indication of the server, the subsequent client device may need to report the basic information such as the feature data of the unknown program file again. Therefore, in the second scanned content indication, there may be both the content that requires scanning and reporting of other specified attributes besides the unknown program file feature data and the content that requires scanning and reporting of the unknown program file feature data. Of course, if the client device 100 and the server device 200 are connected in a long time, the client device 100 may not be required to report basic information such as feature data of an unknown program file that has been reported once again in the second scanning content indication. Security levels include, but are not limited to, malicious (i.e., blacklisted), secure (i.e., whitelisted, trusted), unknown, and suspicious, among others. Attributes of the context of unknown program files include, but are not limited to, one or more of the following: the method comprises the steps of obtaining information of a directory where an unknown program file is located, information of key values of a specified registry, attribute information of other files in the same directory or the specified directory with the program file, running states of specified processes and the like.
The second indicator 216, after generating the second scan content indication, transmits the second scan content indication to the first transmission interface 118 of the client device 100 through the second transmission interface 218, and the first transmission interface 118 notifies the second scanner 116 of the second scan content indication. The second scanner 116 scans the specified attribute information of the unknown program file and/or the attribute information of the context environment according to the second scanning content indication, and finally transmits the scanning result to the second transmission interface 218 of the server-side device 200.
In an embodiment of the present invention, the second transmission interface 218 further informs the second indicator 216 of the received scanning result provided by the second scanner 116, and the second indicator 216 performs analysis and comparison in the known malicious program searching and killing database, which previously provides specific content of the malicious program searching and killing database, so that it can be known that, since the scanning result of the unknown program file provided by the client device 100 includes more information, such as other attributes including signature information, security level, version information, etc. of the unknown program file, or includes various attribute information of the context environment of the unknown program file, and further or all other attributes of the unknown program file and attributes of the context environment are scanned, the second indicator 216 can further analyze and determine whether the unknown program file is a malicious program according to the more comprehensive information, and the feature information and determination logic in the malicious program searching and killing database, and determine whether the unknown program file is a malicious program file And if the file is judged to be a malicious program, whether a corresponding repair logic exists can be further checked. Repair logic includes, but is not limited to, one or more of the following: deleting specified registry keys and/or key values, modifying registry keys and/or key values to specified content, deleting specified system service items, and repairing or deleting specified program files.
Further, the second indicator 216 transmits the determination result of whether the unknown program file is a malicious program file to the client device 100 through the second transmission interface 218. Further, if the determination is that the program is malicious and the matching repair logic can be found in the database of known malicious programs, the matching repair logic is also transmitted to the client device through the second transmission interface 218.
The scanning device 110 of the client further includes a first processor, and the first processor obtains a determination result of whether the unknown program file provided by the second indicator in the server-side device 200 is a malicious program file through the first transmission interface 118, and performs corresponding processing according to the determination result. For example, if the judgment result is a safe program file, the unknown program file does not need to be checked and killed; if the judgment result is a malicious program and the second indicator 216 provides the repair logic, the user may be prompted and asked whether to perform repair, and after confirmation of the user, the unknown program file may be repaired according to the repair logic.
In another embodiment of the present invention, in order to reduce the communication between the client device 100 and the server-side device 200, the second indicator 216 may further transmit the judgment logic related to the second scanned content indication, and even the repair logic related to the judgment logic, to the client device 100 at the same time of informing the client device 100 of the second scanned content indication. Specifically, because the second scan content indication mainly includes scanning other specified attributes except the feature data of the unknown program file and/or specified attributes of the context environment of the unknown program file, the server may predict which scan results may be obtained by the client device 100 after scanning according to the second scan content indication, and then may determine what scan results indicate that the unknown program file is a malicious program according to the malicious program searching and killing database, so that it is possible to search for a determination logic related to the second scan content indication, that is, how to determine whether the unknown program file is a malicious program according to the subsequent scan results. If the program is a malicious program, whether a repair logic related to the second scanning content indication and the judgment logic exists can be further searched according to a known malicious program searching and killing database.
The scanning device 110 at the client may further include a second processor, where the second processor obtains, through the transmission interface 118, the judgment logic provided by the second indicator 216 at the server side and related to the second scanned content indication, and then, according to the judgment logic and the scanning result obtained after the second scanner 116 scans according to the second scanned content indication, judges whether the unknown program file is a malicious program, and performs corresponding processing. For example, if the determination result is that the unknown program file is a malicious program, and the second indicator 216 on the server side further sends a repair logic related to the determination logic, when the scan result provided by the second scanner 116 satisfies the repair logic, corresponding repair processing may be performed according to the repair logic. The specific contents of the rest of the processing are similar to the corresponding processing performed by the first processor in the previous embodiment, and are not described again. It can be seen that in this embodiment, the second scanner 116 does not need to upload the result of scanning the unknown program file according to the second scanning content indication to the server-side device, but directly provides the result to the second processor.
As can be seen from the above embodiments, if the scanning device 110 only includes the environment information reader 112, the first scanner 114, the second scanner 116 and the first transmission interface, it is a pure malware scanning device, and if the scanning device also includes the first processor or the second processor, it is essentially a device capable of completing malware killing, and may be understood as a killing device for malware.
Referring to fig. 2, a flowchart of a malicious program scanning method based on cloud security according to an embodiment of the present invention is shown. The method comprises a part of flow located on a client side and a part of flow located on a server side, wherein the flow on the client side is a scanning method for searching and killing the malicious programs, and the flow on the server side is a cloud management method for searching and killing the malicious programs.
The method starts at step S210, and at step S210, the current system environment information of the client device is read and transmitted to the server device. The system environment information includes, but is not limited to, any one or more of version information of the operating system, system patch installation information, software installation information, driver installation information, and active process and service information. This step can be implemented by the environment information reader 112 in the scanning device 110, and for related technical implementation, reference may be made to related descriptions of the environment information reader 112 in various embodiments, which are not described herein again.
Then, in step S220, the server-side device obtains system environment information of the client device, generates a first scanning content indication according to the characteristics of the new malicious program and the system environment information transmitted by the client device, where the first scanning content indication at least includes characteristic data for scanning the content at the specified location and informing the scanned unknown program file, and transmits the first scanning content indication to the client device. This step can be implemented by the first indicator 212 in the cloud management device 210 located at the server side, and for implementation of related technologies, reference is also made to the description of the first indicator 212 in the foregoing embodiments, which is not described herein again.
After the client device obtains the first scanning content indication judged by the server device based on the uploaded system environment information in step S220, the client device scans the specified position in the first scanning content indication in step S230, and retransmits at least the scanned feature data of the unknown program file to the server device, so that the server device can further judge accordingly. This step can be implemented by the first scanner 114 in the scanning device 110 of the client, and for implementation of related technologies, please refer to the description of the first scanner 114 in the foregoing embodiments, which is not described herein again.
After the server device obtains the feature data of the unknown program file transmitted by the client device in step S230, in step S240, matching is performed in the known malicious program searching and killing database according to the feature data of the unknown program file, and whether the unknown program file is a malicious program is determined. If the matching is successful, judging that the unknown program file is a malicious program, further searching whether a corresponding repair logic exists, and if so, transmitting the judgment result and the repair logic to the client; if no corresponding repair logic is found, only the determination result may be transmitted to the client device. This step can be implemented by the first matcher 214 in the cloud management device 210 located at the server side, and for implementation of related technologies, reference is also made to the description of the first matcher 214 in each of the foregoing embodiments, which is not described herein again.
If the server device cannot match the known record according to the known malicious program searching and killing database, that is, cannot determine whether the unknown program file is a malicious program, in step S250, a second scanned content instruction is generated, where the second scanned content instruction includes scanning a specified attribute of the unknown program file and/or a specified attribute of a context environment of the unknown program file, and then the second scanned content instruction is transmitted to the client device. It can be seen that the server device further sends the second scanned content indication to the client device in order to obtain more information related to the unknown program file for further determination. This step can be implemented by the second indicator 216 in the cloud management device 210 located at the server side, and for implementation of related technologies, reference is also made to the description of the first indicator 212 in the foregoing embodiments, which is not described herein again.
After obtaining the second scanned content indication in step S250, the client device scans according to the second scanned content indication in step S260, so as to obtain the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file. For example, the specified attributes of the unknown program file include, but are not limited to, one or more of the following: characteristic data of unknown program files, file size, security level, signature information, version information, and the like. As another example, attributes of the context of an unknown program file include, but are not limited to, one or more of the following: the information of the directory where the unknown program file is located, the information of the starting position in the registry, the attribute information of other files in the same directory as the program file or in the specified directory, the running state of the specified process and the like.
After step S260, in an embodiment of the present invention, first, the client device transmits a scanning result obtained after scanning according to the second scanning content indication to the server device, where this step may be executed by the second scanner 116 in the foregoing embodiments, and related technical features may refer to the description of this component, which is not described herein again; and then after the server-side equipment obtains the scanning result obtained by the client-side equipment according to the scanning instruction of the second scanning content, further analyzing and comparing the scanning result in the existing malicious program searching and killing database, judging whether the unknown program file is a malicious program again, and then transmitting the judgment result (such as malicious, safe, unknown and suspicious) and/or the repair logic matched with the scanning result to the client-side equipment. The server side may perform the step through the second indicator 216 in the cloud management device 210 in the foregoing embodiments, and related technical features may refer to the description of the component, which is not described herein again. It should be noted that, under the condition that all the programs are judged to be malicious programs, the corresponding repair logic cannot be found, so that under the condition that the repair logic is found, the judgment result and the repair logic can be transmitted to the client device together; under the condition that the repair logic is not found, the judgment result can be only transmitted to the client for reference of the client or a user; it is also possible to transmit only the repair logic, because the client receives the repair logic and can understand that the unknown program file is a malicious program, otherwise, the server-side device does not feed back the repair logic for the unknown program file to the client. After the client device obtains the judgment result of whether the unknown program file fed back by the server device is a malicious program, corresponding processing can be performed according to the judgment result. For example, the user is reminded by a security reminding means such as a pop-up window, or the repair processing is performed according to the repair logic after the user confirms. The step performed by the client device may be performed by the first processor in the scanning device 110 in the foregoing embodiments, and the related technical features may refer to the description of this component, which is not described herein again.
As can be seen from the description of the subsequent steps in this embodiment, the client device needs to transmit the scanning result to the server device at least twice, so that the server device makes a determination according to the scanning result. In order to reduce the number of communications between the client device and the server device and improve efficiency, the following process may be further employed in another embodiment of the present invention.
In another embodiment of the present invention, in the aforementioned step S250, in addition to the server-side device generating and sending the second scanned content indication to the client device, the server-side device further obtains the judgment logic and/or the repair logic related to the second scanned content indication according to a known malicious program killing database, and then transmits the judgment logic and/or the repair logic and the second scanned content indication to the client device together. This step can be implemented by the second indicator 216 in the cloud management device 210 in the foregoing embodiments, and related technical implementations may refer to related descriptions of this component, which are not described herein again. It can be seen that, after step S250, the client device has received at least the second scanned content indication and the determination logic related to the second scanned content indication, and possibly also received the repair logic related to the second scanned content indication, so that after the client device scans according to the second scanned content indication in step S260 to obtain the scanning result, the client device can determine whether the unknown program file is a malicious program according to the determination logic related to the second scanned content indication and the scanning result transmitted by the server device, and if so, further detect whether the server device also transmits the relevant repair logic at the same time, and if so, continue to perform repair processing on the unknown program file according to the repair logic, such as deleting the specified registry key and/or key value, modifying the registry key and/or key value to the specified content, and so as to obtain the repair logic related to the specified content Delete specified system service items, and repair or delete specified program files, etc. This step may be performed by the second processor in the scanning device 110 in the foregoing embodiments, and for implementation of related technologies, reference may be made to the foregoing description of this step, which is not described herein again.
In another embodiment of the present invention, a method for searching and killing a malicious program based on cloud security is provided, please refer to the flowchart shown in fig. 3.
The process begins at step S310, where the client initializes the local engine and the network environment.
Then, step S320 is executed, and the client reads the system environment information and sends the system environment information to the server.
Further, step S330 is executed, in which the server determines according to the system environment information of the client and the preset condition of the scanned content, and sends the content to be scanned to the client. The content to be scanned corresponds to the first scanning content indication in the foregoing embodiments.
Then, step S340 is executed, the client executes the scan content built in the local engine and the scan content returned by the server, and obtains the characteristics of the unknown program file, such as the file name, MD5, SHA, or the like.
Then, step S350 is executed, and the client device sends the characteristics of the unknown program file to the server.
Thereafter, step S360 is executed, and the server performs a lookup in the database according to the characteristics of the program file and/or the attributes of the context environment of the program file.
Step S370 is then entered to determine whether a matching record is found in the database, i.e., whether a corresponding killing method is found, including but not limited to a scanning/decision action and a repair action. If a matching record is found, go to step S380; if no matching record is found, step S400 is performed.
Step S380: and the server returns the corresponding searching and killing method to the client. Then, step S390 is performed.
Step S390: and the client executes corresponding actions according to the searching and killing method returned by the server. And then ends.
Step S400, the server side judges whether other attributes of the unknown program file of the client side need to be further checked, such as other attributes except the unknown program file characteristics fed back in the step S350, and/or the attributes of the context environment of the unknown program file. If yes, continuing to execute the step S410; if not, the process is ended directly.
And step S410, the client collects the specified attribute of the required program file and the attribute of the context environment thereof according to the check condition returned by the server and then sends the attribute to the server. And then returns to execute step S360 until the flow ends.
In another embodiment of the present invention, a specific example of malicious program killing is given. For example, xxxpupdate.dle of a certain video software can load xxxpupdate.dll under the same directory, the video software is a piece of software with a very large installation amount in china, but does not perform sufficient protection and tamper-proof check on a program file of the video software, so that a malicious program m can replace xxxpupdate.dll with a malicious program by utilizing the security vulnerability of the video software. The detection and searching and killing steps of the scheme are as follows:
firstly, the client sends the file name and the MD5 value of xxxUpdate.dll to the server;
then, the server side matches the corresponding killing method according to the file name and the MD5 value, and then further sends a scan instruction (corresponding to the second scan content instruction in the foregoing embodiments), a judgment logic, and a repair logic to the client side. Wherein, the scanning instruction requires to check whether the security level of the file is credible, and the company signature name of the file is not 'Beijing xxx Limited'; the judgment logic indicates that if the security level of the file is not credible and the company signature name is not 'Beijing xxx Limited', the file is judged to be tampered by the malicious program and is the malicious program; and indicating in the corresponding repair logic that if the scanning result meets the judgment logic, the file is judged to be a malicious program, and then the corresponding repair action is to prohibit xxxupdate.
And finally, the client scans the file according to the scanning content, judges whether the file is a malicious program according to the scanning result and the judgment logic provided by the server, reports the malicious program to the user if the file is the malicious program, and executes the searching and killing action returned by the server when the user selects to clear the file, such as repair processing.
In another embodiment of the present invention, the client device does not report the current system environment information to the server device, and the server does not need to generate the first scanning content indication according to the system environment information reported by the client device, and then the device on the client device scans according to the first scanning content indication. Instead, the client device directly scans according to known scanning logic (for example, scanning logic of a local engine or scanning logic notified by the server before), and then directly reports the suspicious unknown program file, which is obtained by scanning and cannot be determined as to whether the file is safe, to the server device.
It can be seen from the foregoing embodiments provided by the present invention that, in the embodiments of the present invention, when it cannot be determined whether the unknown program file is a malicious program or an accurate repair scheme cannot be found only by the filename, MD5, SHA, and the like of the suspicious unknown program file, further determination may be made by requiring the client device to further scan other attributes of the unknown program file, such as the signature, version, and the like, and/or the attribute of the context environment of the unknown program file, so that it can be determined more accurately whether the client cannot determine the safe unknown program file. By adopting the scheme, no matter the client sends various attribute results of further scanning to the server side for judgment, or the server side directly sends the judgment logic and the repair logic related to the scanning result to the client side for judgment, the cloud server can issue personalized scanning content in time, and dynamically acquire the searching and killing method from the server side according to the attribute of the program file and the attribute of the context environment where the program file is located, so that the condition that the newly-generated malicious program can be detected and eliminated only by upgrading the local feature library and the engine program is avoided, the attack speed on the newly-generated malicious program is accelerated, and the rapid spread of the newly-generated malicious program is effectively restrained.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of a scanning device or cloud management device for malware killing according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Disclosed herein is a1, a scanning device for malware killing, comprising: the first transmission interface is configured to transmit information to a server-side device and receive the information transmitted by the server-side device; the environment information reader is configured to read the current system environment information of the client device and transmit the current system environment information to the server-side device through the first transmission interface; the first scanner is configured to obtain a first scanning content indication judged by the server-side equipment at least based on the system environment information through the first transmission interface, scan a specified position in the first scanning content indication, and transmit at least characteristic data of an unknown program file obtained through scanning to the server-side equipment through the first transmission interface; and a second scanner configured to obtain, through the first transmission interface, a second scanned content indication transmitted by the server-side device, where the second scanned content indication includes scanning a specified attribute of the unknown program file and/or a specified attribute of a context environment of the unknown program file, and scanning according to the second scanned content indication. A2, the scanning device according to the A1, wherein the second scanner is further configured to transmit the scanning result after scanning according to the second scanning content indication to the server-side device through the first transmission interface, and the scanning device further comprises: the first restorer is configured to obtain restoration logic determined by the server-side equipment based on the scanning result provided by the second scanner through the first transmission interface, and carry out restoration processing on the unknown program file according to the restoration logic. A3, the scanning device of A1, further comprising: and the second restorer is configured to obtain restoration logic which is transmitted together with the second scanning content indication and is related to the second scanning content indication from a server-side device through the first transmission interface, and when the scanning result of the second scanner meets the restoration logic, the unknown program file is restored. A4, the scanning device according to A2 or A3, the repair process comprising one or more of the following processes: deleting specified registry keys and/or key values, modifying registry keys and/or key values to specified content, deleting specified system service items, and repairing or deleting specified program files. A5, the scanning device of any one of A1 to A4, the environmental system information comprising one or more of the following: version information of the operating system, system patch installation information, software installation information, driver installation information, and running processes and services information in the system. A6, scanning device according to any of A1 to A5: the characteristic data of the program file comprises one or more of the following information: data and file names obtained by adopting a specific algorithm on all or part of key contents of the unknown program file; the specified attributes of the unknown program file include one or more of the following information: characteristic data, file size, security level, signature information, and version information. A7, the scanning apparatus of any one of A1 to A6, wherein the attributes of the context environment of the unknown program file include one or more of the following information: the information of the directory where the unknown program file is located, the information of the starting position in the registry, the attribute information of other files in the same directory or the appointed directory with the program file, and the running state of the appointed process.
Disclosed herein is B8, a cloud management device for malicious program searching and killing, comprising: a second transmission interface configured to transmit information to a client device and receive information transmitted by the client device; a first indicator configured to generate a first scanning content indication according to characteristics of a new malicious program and system environment information transmitted by the client device, wherein the first scanning content indication at least comprises characteristic data for scanning contents of a specified position and informing the scanned unknown program file, and transmit the first scanning content indication to the client device through the second transmission interface; the first matcher is configured to obtain the characteristic data of the unknown program file transmitted by the client device through the second transmission interface, and match the characteristic data in a known malicious program characteristic data record according to the characteristic data; and a second indicator configured to generate a second scanned content indication when the first matcher fails to match a known record, the second scanned content indication comprising a scan of specified attributes of the unknown program file and/or specified attributes of a context of the unknown program file and transmitted to the client device via the second transmission interface. B9, the cloud management device according to B8: the second indicator is further configured to obtain, through the second transmission interface, a scanning result obtained after the client device scans according to the second scanning content indication, and accordingly determine whether the unknown program file is a malicious program, and transmit the determination result to the client device through the second transmission interface; alternatively, the second indicator is further configured to transmit, to the client device through the second transmission interface, together with determination logic related to the second scanned content indication, the determination logic being logic configured to determine whether the unknown program file is a malicious program. B10, according to the cloud management device of B9, the second indicator is further configured to match in a known malicious program searching and killing database according to a scanning result obtained after the client device scans according to the second scanning content instruction, and if a repair logic matching the scanning result is found, transmit the repair logic to the client device through the second transmission interface; or, the second indicator is further configured to match in a known malicious program killing database according to the second scanned content indication, and transmit the matched repair logic related to the second scanned content indication and the second scanned content indication together to the client device through the second transmission interface. B11, the cloud management device according to any one of B8-B10, wherein the characteristics of the new malicious program comprise: and the new malicious program utilizes the characteristic information of the specific position for hiding and/or attacking. B12, the cloud management device according to any of B8-B11, the first scanning content indication being an indication of a condition, the condition comprising one or more of: specifying whether a file exists, specifying whether a directory exists, specifying whether an attribute of a program file satisfies a specified condition, specifying whether a registry key exists, specifying whether a registry key value exists, specifying whether a content of a registry key satisfies a specified condition, specifying whether a content of a registry key value satisfies a specified condition, specifying whether a process exists, and specifying whether a service exists. B13, the cloud management device according to any one of B8-B12, the repair logic comprising one or more of the following: deleting specified registry keys and/or key values, modifying registry keys and/or key values to specified content, deleting specified system service items, and repairing or deleting specified program files. B14, the cloud management device according to any one of B8-B13, wherein the feature data of the unknown program file comprises one or more of the following information: data and file names obtained by adopting a specific algorithm on all or part of key contents of the unknown program file; the specified attributes of the unknown program file include one or more of the following information: characteristic data, file size, signature information, and version information. B15, the cloud management device according to any one of B8-B14, wherein the attributes of the context environment of the unknown program file comprise one or more of the following information: the information of the directory where the unknown program file is located, the security level information, the information of the starting position in the registry, the attribute information of other files in the same directory or the appointed directory as the program file, and the running state of the appointed process.
C16, a cloud security-based malware scanning system, including a scanning device for malware killing as described in any one of a 1-a 7, and a cloud management device for malware killing as described in any one of B8-B15.
Disclosed herein is a D17, a scanning method for malicious program killing, comprising: reading current system environment information of client equipment and transmitting the current system environment information to server equipment; acquiring a first scanning content instruction which is judged by the server side equipment based on the system environment information, scanning a specified position in the first scanning content instruction, and at least transmitting the characteristic data of the scanned unknown program file to the server side equipment; and obtaining a second scanning content indication transmitted by the server-side equipment, wherein the second scanning content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and scanning according to the second scanning content indication. D18, the scanning method of D17, further comprising: transmitting the scanning result after scanning according to the second scanning content indication to the server-side equipment; obtaining a judgment result of whether the unknown program file determined by the server-side equipment based on the scanning result is a malicious program or not, and carrying out corresponding processing according to the judgment result; or, obtaining a judgment logic related to the second scanned content indication, which is notified by the server-side device, determining whether the unknown program file is a malicious program according to a scanned result obtained by scanning according to the second scanned content indication and the judgment logic, and performing corresponding processing.
E19, a cloud management method for malicious program killing, comprising: generating a first scanning content instruction according to the characteristics of the newly generated malicious program and system environment information transmitted by client equipment, wherein the first scanning content instruction at least comprises characteristic data for scanning the content of a specified position and informing the scanned unknown program file, and transmitting the first scanning content instruction to the client equipment; obtaining the characteristic data of the unknown program file transmitted by the client device, and matching in a known malicious program searching and killing database according to the characteristic data; and when the known record cannot be matched according to the feature data of the unknown program file, generating a second scanned content indication, wherein the second scanned content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and transmitting the second scanned content indication to the client device. E20, the cloud management method according to E19, further comprising: obtaining a scanning result obtained after the client device scans according to the second scanning content indication, judging whether the unknown program file is a malicious program according to the scanning result, and transmitting a judgment result and/or a repair logic matched with the scanning result to the client device; alternatively, the decision logic and/or repair logic associated with the second scanned content indication is transmitted to the client device along with the second scanned content indication.
Disclosed herein is F21, a method for cloud security-based malware scanning, comprising: the client equipment reads the current system environment information and transmits the current system environment information to the server equipment; the method comprises the steps that server-side equipment generates a first scanning content instruction according to characteristics of a new malicious program and system environment information transmitted by client-side equipment, wherein the first scanning content instruction at least comprises characteristic data of an unknown program file which is scanned and informed of the content of a specified position, and the first scanning content instruction is transmitted to the client-side equipment; the client device scans according to the first scanning content indication and at least transmits the scanned feature data of the unknown program file to the server device; the server-side equipment matches in a known malicious program searching and killing database according to the characteristic data of the unknown program file; when a known record cannot be matched according to the feature data of the unknown program file, the server-side equipment generates a second scanning content instruction, wherein the second scanning content instruction comprises a step of scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and a step of transmitting the second scanning content instruction to the client-side equipment; and the client device performs scanning according to the second scanning content indication.

Claims (20)

1. A scanning device for malware killing, comprising:
the first transmission interface is configured to transmit information to a server-side device and receive the information transmitted by the server-side device;
the environment information reader is configured to read the current system environment information of the client device and transmit the current system environment information to the server-side device through the first transmission interface;
the first scanner is configured to obtain a first scanning content indication judged by the server-side equipment at least based on the system environment information through the first transmission interface, scan a specified position in the first scanning content indication, and transmit at least characteristic data of an unknown program file obtained through scanning to the server-side equipment through the first transmission interface; and
a second scanner configured to obtain, through the first transmission interface, a second scanned content indication transmitted by the server-side device, where the second scanned content indication includes scanning a specified attribute of the unknown program file and/or a specified attribute of a context of the unknown program file, and scanning according to the second scanned content indication.
2. The scanning device according to claim 1, wherein the second scanner is further configured to transmit a scanning result after scanning according to the second scanning content indication to the server-side device through the first transmission interface;
the scanning device further includes:
the first restorer is configured to obtain restoration logic determined by the server-side equipment based on the scanning result provided by the second scanner through the first transmission interface, and carry out restoration processing on the unknown program file according to the restoration logic.
3. The scanning device of claim 1, further comprising:
and the second restorer is configured to obtain restoration logic which is transmitted together with the second scanning content indication and is related to the second scanning content indication from a server-side device through the first transmission interface, and when the scanning result of the second scanner meets the restoration logic, the unknown program file is restored.
4. A scanning device according to claim 2 or 3, the repair process comprising one or more of the following:
deleting specified registry keys and/or key values, modifying registry keys and/or key values to specified content, deleting specified system service items, and repairing or deleting specified program files.
5. The scanning device of any one of claims 1 to 4, the environmental system information comprising one or more of the following:
version information of the operating system, system patch installation information, software installation information, driver installation information, and running processes and services information in the system.
6. The scanning device of any of claims 1 to 5:
the characteristic data of the program file comprises one or more of the following information: data and file names obtained by adopting a specific algorithm on all or part of key contents of the unknown program file;
the specified attributes of the unknown program file include one or more of the following information: characteristic data, file size, security level, signature information, and version information.
7. The scanning device of any of claims 1 to 6, the attributes of the context environment of the unknown program file including one or more of the following information:
the information of the directory where the unknown program file is located, the information of the starting position in the registry, the attribute information of other files in the same directory or the appointed directory with the program file, and the running state of the appointed process.
8. A cloud management device for malicious program searching and killing, comprising:
a second transmission interface configured to transmit information to a client device and receive information transmitted by the client device;
a first indicator configured to generate a first scanning content indication according to characteristics of a new malicious program and system environment information transmitted by the client device, wherein the first scanning content indication at least comprises characteristic data for scanning contents of a specified position and informing the scanned unknown program file, and transmit the first scanning content indication to the client device through the second transmission interface;
the first matcher is configured to obtain the characteristic data of the unknown program file transmitted by the client device through the second transmission interface, and match the characteristic data in a known malicious program characteristic data record according to the characteristic data; and
a second indicator configured to generate a second scanned content indication when the first matcher fails to match a known record, the second scanned content indication including scanning specified attributes of the unknown program file and/or specified attributes of a context of the unknown program file and transmitting to the client device via the second transmission interface.
9. The cloud management device of claim 8:
the second indicator is further configured to obtain, through the second transmission interface, a scanning result obtained after the client device scans according to the second scanning content indication, and accordingly determine whether the unknown program file is a malicious program, and transmit the determination result to the client device through the second transmission interface;
or,
the second indicator is further configured to transmit, to the client device through the second transmission interface, together with determination logic associated with the second scanned content indication, the determination logic being logic to determine whether the unknown program file is a malicious program.
10. The cloud management device of claim 9,
the second indicator is further configured to match in a known malicious program searching and killing database according to a scanning result obtained after the client device scans according to the second scanning content indication, and transmit to the client device through the second transmission interface if a repair logic matched with the scanning result is found;
or,
the second indicator is further configured to match in a known rogue program killing database according to the second scanned content indication, and transmit the matched repair logic associated with the second scanned content indication and the second scanned content indication together to the client device through the second transmission interface.
11. Cloud management device according to any of claims 8 to 10, the characteristics of the nascent malware comprising: and the new malicious program utilizes the characteristic information of the specific position for hiding and/or attacking.
12. A cloud management device according to any of claims 8 to 11, the first scanning content indication being an indication of a condition, the condition comprising one or more of:
specifying whether a file exists, specifying whether a directory exists, specifying whether an attribute of a program file satisfies a specified condition, specifying whether a registry key exists, specifying whether a registry key value exists, specifying whether a content of a registry key satisfies a specified condition, specifying whether a content of a registry key value satisfies a specified condition, specifying whether a process exists, and specifying whether a service exists.
13. Cloud management device according to any of claims 8 to 12, the repair logic comprising one or more of the following logic:
deleting specified registry keys and/or key values, modifying registry keys and/or key values to specified content, deleting specified system service items, and repairing or deleting specified program files.
14. Cloud management device according to any of claims 8 to 13,
the characteristic data of the unknown program file comprises one or more of the following information: data and file names obtained by adopting a specific algorithm on all or part of key contents of the unknown program file;
the specified attributes of the unknown program file include one or more of the following information: characteristic data, file size, signature information, and version information.
15. A cloud management device according to any of claims 8 to 14, wherein the attributes of the context of the unknown program file include one or more of the following:
the information of the directory where the unknown program file is located, the security level information, the information of the starting position in the registry, the attribute information of other files in the same directory or the appointed directory as the program file, and the running state of the appointed process.
16. A malicious program scanning system based on cloud security, comprising the scanning device for malicious program killing according to any one of claims 1 to 7, and the cloud management device for malicious program killing according to any one of claims 8 to 15.
17. A scanning method for malware killing, comprising:
reading current system environment information of client equipment and transmitting the current system environment information to server equipment;
acquiring a first scanning content instruction which is judged by the server side equipment based on the system environment information, scanning a specified position in the first scanning content instruction, and at least transmitting the characteristic data of the scanned unknown program file to the server side equipment; and
and obtaining a second scanning content indication transmitted by the server-side equipment, wherein the second scanning content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and scanning according to the second scanning content indication.
18. The scanning method of claim 17, further comprising:
transmitting the scanning result after scanning according to the second scanning content indication to the server-side equipment; obtaining a judgment result of whether the unknown program file determined by the server-side equipment based on the scanning result is a malicious program or not, and carrying out corresponding processing according to the judgment result;
or,
and acquiring judgment logic which is informed by the server-side equipment and is related to the second scanning content indication, determining whether the unknown program file is a malicious program according to a scanning result obtained after scanning according to the second scanning content indication and the judgment logic, and performing corresponding processing.
19. A cloud management method for malicious program searching and killing comprises the following steps:
generating a first scanning content instruction according to the characteristics of the newly generated malicious program and system environment information transmitted by client equipment, wherein the first scanning content instruction at least comprises characteristic data for scanning the content of a specified position and informing the scanned unknown program file, and transmitting the first scanning content instruction to the client equipment;
obtaining the characteristic data of the unknown program file transmitted by the client device, and matching in a known malicious program searching and killing database according to the characteristic data; and
and when the known record cannot be matched according to the feature data of the unknown program file, generating a second scanned content indication, wherein the second scanned content indication comprises scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and transmitting the second scanned content indication to the client device.
20. A cloud security-based malware scanning method, comprising:
the client equipment reads the current system environment information and transmits the current system environment information to the server equipment;
the method comprises the steps that server-side equipment generates a first scanning content instruction according to characteristics of a new malicious program and system environment information transmitted by client-side equipment, wherein the first scanning content instruction at least comprises characteristic data of an unknown program file which is scanned and informed of the content of a specified position, and the first scanning content instruction is transmitted to the client-side equipment;
the client device scans according to the first scanning content indication and at least transmits the scanned feature data of the unknown program file to the server device;
the server-side equipment matches in a known malicious program searching and killing database according to the characteristic data of the unknown program file;
when a known record cannot be matched according to the feature data of the unknown program file, the server-side equipment generates a second scanning content instruction, wherein the second scanning content instruction comprises a step of scanning the specified attribute of the unknown program file and/or the specified attribute of the context environment of the unknown program file, and a step of transmitting the second scanning content instruction to the client-side equipment;
and the client device performs scanning according to the second scanning content indication.
CN201210506137.5A 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system Active CN102982284B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system
PCT/CN2013/088196 WO2014082599A1 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
US14/648,298 US9830452B2 (en) 2012-11-30 2013-11-29 Scanning device, cloud management device, method and system for checking and killing malicious programs
US15/823,534 US20180082061A1 (en) 2012-11-30 2017-11-27 Scanning device, cloud management device, method and system for checking and killing malicious programs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210506137.5A CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Publications (2)

Publication Number Publication Date
CN102982284A true CN102982284A (en) 2013-03-20
CN102982284B CN102982284B (en) 2016-04-20

Family

ID=47856288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210506137.5A Active CN102982284B (en) 2012-11-30 2012-11-30 For the scanning device of rogue program killing, cloud management equipment and method and system

Country Status (1)

Country Link
CN (1) CN102982284B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103390130A (en) * 2013-07-18 2013-11-13 北京奇虎科技有限公司 Rogue program searching and killing method and device based on cloud security as well as server
CN103618626A (en) * 2013-11-28 2014-03-05 北京奇虎科技有限公司 Method and system for generating safety analysis report on basis of logs
WO2014082599A1 (en) * 2012-11-30 2014-06-05 北京奇虎科技有限公司 Scanning device, cloud management device, method and system for checking and killing malicious programs
CN103929323A (en) * 2013-12-16 2014-07-16 汉柏科技有限公司 Health degree monitoring method of cloud network equipment
CN104462975A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program scanning method, device and system
CN104573518A (en) * 2015-01-23 2015-04-29 百度在线网络技术(北京)有限公司 Method, device, server and system for scanning files
CN105335191A (en) * 2015-10-16 2016-02-17 北京金山安全软件有限公司 Method and device for scanning terminal equipment and terminal
CN105429956A (en) * 2015-11-02 2016-03-23 重庆大学 Malicious software detection system based on P2P dynamic cloud and malicious software detection method
WO2016107309A1 (en) * 2014-12-31 2016-07-07 北京奇虎科技有限公司 File scanning method, device and system
CN106557689A (en) * 2015-09-25 2017-04-05 纬创资通股份有限公司 malicious program code analysis method and system, data processing device and electronic device
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device
CN107645483A (en) * 2016-07-22 2018-01-30 阿里巴巴集团控股有限公司 Risk Identification Method, risk identification device, cloud risk identification apparatus and system
CN109829303A (en) * 2018-12-28 2019-05-31 北京奇安信科技有限公司 A kind of Intranet cloud checking and killing method, console and client based on system file
CN110879887A (en) * 2019-11-15 2020-03-13 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for repairing mining trojan program
CN110971575A (en) * 2018-09-29 2020-04-07 北京金山云网络技术有限公司 Malicious request identification method and device, electronic equipment and computer storage medium
CN114115936A (en) * 2021-10-27 2022-03-01 安天科技集团股份有限公司 Method and device for upgrading computer program, electronic equipment and storage medium
EP4459486A1 (en) * 2023-05-01 2024-11-06 CrowdStrike, Inc. Detecting targeted intrusion on mobile devices

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN102750463A (en) * 2011-12-16 2012-10-24 北京安天电子设备有限公司 System and method for improving file rescanning speed
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
CN101924762A (en) * 2010-08-18 2010-12-22 奇智软件(北京)有限公司 Cloud security-based active defense method
CN102592103A (en) * 2011-01-17 2012-07-18 中国电信股份有限公司 Secure file processing method, equipment and system
CN102279912A (en) * 2011-06-03 2011-12-14 奇智软件(北京)有限公司 Client program monitoring method and device and client
CN102750463A (en) * 2011-12-16 2012-10-24 北京安天电子设备有限公司 System and method for improving file rescanning speed
CN102799811A (en) * 2012-06-26 2012-11-28 腾讯科技(深圳)有限公司 Scanning method and device

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014082599A1 (en) * 2012-11-30 2014-06-05 北京奇虎科技有限公司 Scanning device, cloud management device, method and system for checking and killing malicious programs
WO2015007224A1 (en) * 2013-07-18 2015-01-22 北京奇虎科技有限公司 Malicious program finding and killing method, device and server based on cloud security
CN103390130A (en) * 2013-07-18 2013-11-13 北京奇虎科技有限公司 Rogue program searching and killing method and device based on cloud security as well as server
US10027704B2 (en) 2013-07-18 2018-07-17 Beijing Qihoo Technology Company Limited Malicious program finding and killing device, method and server based on cloud security
CN103390130B (en) * 2013-07-18 2017-04-05 北京奇虎科技有限公司 Based on the method for the rogue program killing of cloud security, device and server
CN103618626A (en) * 2013-11-28 2014-03-05 北京奇虎科技有限公司 Method and system for generating safety analysis report on basis of logs
CN103929323A (en) * 2013-12-16 2014-07-16 汉柏科技有限公司 Health degree monitoring method of cloud network equipment
CN104462975A (en) * 2014-12-19 2015-03-25 北京奇虎科技有限公司 Program scanning method, device and system
WO2016107309A1 (en) * 2014-12-31 2016-07-07 北京奇虎科技有限公司 File scanning method, device and system
CN104573518B (en) * 2015-01-23 2019-03-26 百度在线网络技术(北京)有限公司 File scanning method, device, server and system
CN104573518A (en) * 2015-01-23 2015-04-29 百度在线网络技术(北京)有限公司 Method, device, server and system for scanning files
US10599851B2 (en) 2015-09-25 2020-03-24 Wistron Corporation Malicious code analysis method and system, data processing apparatus, and electronic apparatus
CN106557689A (en) * 2015-09-25 2017-04-05 纬创资通股份有限公司 malicious program code analysis method and system, data processing device and electronic device
CN106557689B (en) * 2015-09-25 2019-06-07 纬创资通股份有限公司 Malicious program code analysis method and system, data processing device and electronic device
CN105335191B (en) * 2015-10-16 2019-03-01 珠海豹趣科技有限公司 A kind of method, apparatus and terminal of end of scan equipment
CN105335191A (en) * 2015-10-16 2016-02-17 北京金山安全软件有限公司 Method and device for scanning terminal equipment and terminal
CN105429956B (en) * 2015-11-02 2018-09-25 重庆大学 Malware detection system based on P2P dynamic clouds and method
CN105429956A (en) * 2015-11-02 2016-03-23 重庆大学 Malicious software detection system based on P2P dynamic cloud and malicious software detection method
CN106682508A (en) * 2016-06-17 2017-05-17 腾讯科技(深圳)有限公司 Method and device for searching and killing viruses
CN107645483A (en) * 2016-07-22 2018-01-30 阿里巴巴集团控股有限公司 Risk Identification Method, risk identification device, cloud risk identification apparatus and system
CN106682495A (en) * 2016-11-11 2017-05-17 腾讯科技(深圳)有限公司 Safety protection method and safety protection device
US11126716B2 (en) 2016-11-11 2021-09-21 Tencent Technology (Shenzhen) Company Limited System security method and apparatus
CN110971575A (en) * 2018-09-29 2020-04-07 北京金山云网络技术有限公司 Malicious request identification method and device, electronic equipment and computer storage medium
CN109829303A (en) * 2018-12-28 2019-05-31 北京奇安信科技有限公司 A kind of Intranet cloud checking and killing method, console and client based on system file
CN110879887A (en) * 2019-11-15 2020-03-13 杭州安恒信息技术股份有限公司 Method, device, equipment and medium for repairing mining trojan program
CN114115936A (en) * 2021-10-27 2022-03-01 安天科技集团股份有限公司 Method and device for upgrading computer program, electronic equipment and storage medium
EP4459486A1 (en) * 2023-05-01 2024-11-06 CrowdStrike, Inc. Detecting targeted intrusion on mobile devices

Also Published As

Publication number Publication date
CN102982284B (en) 2016-04-20

Similar Documents

Publication Publication Date Title
CN102982284B (en) For the scanning device of rogue program killing, cloud management equipment and method and system
CN103034808B (en) Scan method, equipment and system and cloud management and equipment
US11570211B1 (en) Detection of phishing attacks using similarity analysis
AU2018217323B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US8850585B2 (en) Systems and methods for automated malware artifact retrieval and analysis
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
KR101693370B1 (en) Fuzzy whitelisting anti-malware systems and methods
EP2859495B1 (en) Malicious message detection and processing
CN107786564B (en) Attack detection method and system based on threat intelligence and electronic equipment
GB2531514B (en) Malware detection method
CN103618626A (en) Method and system for generating safety analysis report on basis of logs
US8856931B2 (en) Network browser system, method, and computer program product for scanning data for unwanted content and associated unwanted sites
CN105791250B (en) Application program detection method and device
JP6169497B2 (en) Connection destination information determination device, connection destination information determination method, and program
CN110505238B (en) EDR-based message queue processing device and method
CN110084041A (en) Querying method, device, client, management end and the storage medium of virus document
JP2016525750A (en) Identifying misuse of legal objects
CN102970283B (en) Document scanning system
CN114003914A (en) File security detection method and device, electronic equipment and storage medium
JP6378808B2 (en) Connection destination information determination device, connection destination information determination method, and program
CN104618427A (en) Method and device for monitoring file via network
CN112580038A (en) Anti-virus data processing method, device and equipment
CN106529292A (en) Virus checking and killing method and apparatus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220801

Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.