CN103246847B - A kind of method and apparatus of macrovirus killing - Google Patents
A kind of method and apparatus of macrovirus killing Download PDFInfo
- Publication number
- CN103246847B CN103246847B CN201310175309.XA CN201310175309A CN103246847B CN 103246847 B CN103246847 B CN 103246847B CN 201310175309 A CN201310175309 A CN 201310175309A CN 103246847 B CN103246847 B CN 103246847B
- Authority
- CN
- China
- Prior art keywords
- macrovirus
- document
- grand
- checked
- feature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Abstract
The embodiment of the invention discloses a kind of method and apparatus of macrovirus killing, described method comprises: the data stream first obtaining document to be checked, secondly, by judge obtain data stream in whether there is grand mark, determine whether to search for macrovirus further, when there is grand mark in a stream, judge whether described document to be checked is macrovirus document, finally, macrovirus document is changed into nontoxic document.The present invention only carries out the killing of macrovirus for the macrocode part of computer document, greatly improve the search efficiency of macrovirus.Meanwhile, by the macrovirus information deletion in infected computer document, make the information in former computer document by intact preservation, prevent the loss of information.
Description
Technical field
The present invention relates to technical field of data security, be specifically related to a kind of method and apparatus of macrovirus killing.
Background technology
Along with the universal of computing machine and the development of mobile Internet, networked information era is arrived.Virus, as a kind of form of information, has the characteristics such as breeding, infection, destruction, threatens the information security of user.Computer document, namely the file that produces of copy editor's software such as WORD, EXCEL, widely used, and macrovirus is as being exclusively used in the new virus destroying computer document information security, comes into the sight line of people gradually by people.Wherein, the macrovirus using macrolanguage to write mainly acts in the macrocode of computer document, threatens the safety of computer document.
In prior art, by the full-text search to computer document, the existence of inquiry macrovirus, first, obtain the feature code of macrovirus, secondly, mate with whole codes of computer document with the macrovirus feature code obtained, until find the code segment identical with this feature code, namely can think that this computer document has infected macrovirus.Meanwhile, when determining computer document and having infected macrovirus, just simple infected computer document to be deleted.
The method of the full-text search macrovirus of prior art, have ignored macrovirus and only acts on characteristic in the macrocode of computer document, without macrovirus searching method targetedly, blindly expands hunting zone, greatly reduces the search efficiency of macrovirus undoubtedly.Meanwhile, the loss that infected computer document easily causes information is deleted.
Summary of the invention
The invention provides a kind of method and apparatus of macrovirus killing, only carry out the killing of macrovirus for the macrocode part of computer document, greatly improve the search efficiency of macrovirus.Meanwhile, by the macrovirus information deletion in infected computer document, make the prime information in computer document by intact preservation, prevent the loss of information.
The invention provides a kind of method of macrovirus killing, described method comprises:
Obtain the data stream of document to be checked;
When there is grand mark in described data stream, judge whether described document to be checked is macrovirus document, if so, then described macrovirus document is changed into nontoxic document.
Preferably, described judge whether described document to be checked is macrovirus document before, also comprise:
Preset macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature.
Preferably, describedly judge whether described document to be checked is macrovirus document, comprising:
Judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, describedly judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group, comprising:
When described document to be checked comprises grand subflow, judge in described grand subflow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, judge whether described document to be checked comprises script flow, if so, then judge whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
Or,
When described document to be checked comprises script flow, judge in described script flow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, judge whether described document to be checked comprises grand subflow, if so, then judge whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, described method also comprises:
When there is not grand mark in described data stream, described document to be checked is defined as nontoxic document.
Preferably, described described macrovirus document is changed into nontoxic document, comprising:
Delete the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow, and deletes the grand mark in described macrovirus document;
Described macrovirus document is defined as nontoxic document.
The present invention also provides a kind of device of macrovirus killing, and described device comprises:
First acquisition module, for obtaining the data stream of document to be checked;
First judge module, for there is grand mark in described data stream, judges whether described document to be checked is macrovirus document;
Conversion module, for when the result of described first judge module is for being, changes into nontoxic document by described macrovirus document.
Preferably, described device also comprises:
Presetting module, for default macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature.
Preferably, described first judge module specifically for:
When there is grand mark in described data stream, judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, described first judge module, comprising:
First judges submodule, for when described document to be checked comprises grand subflow, judges whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described grand subflow;
Second judges submodule, for not comprising in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, judges whether described document to be checked comprises script flow;
3rd judges submodule, for when described second judges the result of submodule as being, judges whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
Or,
4th judges submodule, for when described document to be checked comprises script flow, judges whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described script flow;
5th judges submodule, for not comprising in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, judges whether described document to be checked comprises grand subflow
6th judges submodule, for when the described 5th judges the result of submodule as being, judges whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, described device also comprises:
Determination module, for there is not grand mark in described data stream, is defined as nontoxic document by described document to be checked.
Preferably, described conversion module, comprising:
First deletes submodule, and for deleting the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow;
Second deletes submodule, for deleting the grand mark in described macrovirus document;
Determine submodule, for described macrovirus document is defined as nontoxic document.
First the present invention obtains the data stream of document to be checked, secondly, by judge obtain data stream in whether there is grand mark, determine whether to search for macrovirus further, when there is grand mark in a stream, judge whether described document to be checked is macrovirus document, finally, macrovirus document is changed into nontoxic document.The present invention only carries out the killing of macrovirus for the macrocode part of computer document, greatly improve the search efficiency of macrovirus.Meanwhile, by the macrovirus information deletion in infected computer document, make the information in former computer document by intact preservation, prevent the loss of information.
Further, when there is not grand mark in a stream, can determine that document to be checked is nontoxic document, determine that the method for virus-free feature code is determined compared with the method for nontoxic document, to invention increases and determine the efficiency of computer document without macrovirus with prior art by search for full text.
Further, the present invention first judge whether to comprise in document to be checked grand subflow and or script flow, secondly for grand subflow and or script flow carry out the method for the coupling of virus characteristic, determine macrovirus document, compared with prior art, the present invention is directed to grand subflow and or the method for script flow search macrovirus more targeted, also improve the efficiency of search macrovirus simultaneously.
Further, the method of the present invention by information grand in macrovirus document and grand mark are deleted, achieve macrovirus document and be converted into nontoxic document, compared with the method for the direct deletion macrovirus document of prior art, the present invention effectively prevent the loss of former document information.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present application, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the application, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the method flow diagram of the macrovirus killing of the embodiment of the present invention one;
Fig. 2 is method flow diagram macrovirus document being changed into nontoxic document of the embodiment of the present invention one;
Fig. 3 is the method flow diagram of the macrovirus killing of the embodiment of the present invention two;
Fig. 4 be the embodiment of the present invention two judge whether document to be checked comprises the process flow diagram of one of the method for the arbitrary macrovirus feature in macrovirus feature group;
Fig. 5 be the embodiment of the present invention two judge whether document to be checked comprises the process flow diagram of one of the method for the arbitrary macrovirus feature in macrovirus feature group;
Fig. 6 is the structure drawing of device of the macrovirus killing of the embodiment of the present invention three;
Fig. 7 is one of structural drawing of described first judge module 602 of the embodiment of the present invention three;
Fig. 8 is one of structural drawing of described first judge module 602 of the embodiment of the present invention three;
The terminal structure schematic diagram that Fig. 9 provides for the embodiment of the present invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, be clearly and completely described the technical scheme in the embodiment of the present application, obviously, described embodiment is only some embodiments of the present application, instead of whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not making the every other embodiment obtained under creative work prerequisite, all belong to the scope of the application's protection.
Embodiment one,
The embodiment of the present invention is the problem causing information dropout that document that is low for the search efficiency of macrovirus in prior art and direct deletion infection macrovirus causes, propose to judge whether comprise grand mark in document to be checked by the data stream obtaining document to be checked, and then determine whether comprise macrovirus in document to be checked, finally, when document to be checked comprises macrovirus, the object of macrovirus killing is reached by the grand information of deleting in document to be checked, thus improve the search efficiency of macrovirus, also the problem that the document information in killing macrovirus process is lost is solved.
With reference to the method flow diagram of the macrovirus killing that figure 1, Fig. 1 provides for the present embodiment, specifically comprise:
Step 101, obtain the data stream of document to be checked.
In the present embodiment, before killing document to be checked being carried out to macrovirus, first document to be checked is resolved to the form of data stream.Wherein, data stream is the structure of the raw data stored in document to be checked.
Step 102, when there is grand mark in described data stream, judge whether described document to be checked is macrovirus document, if so, then enters step 103.
In the present embodiment, first judge whether there is grand mark in the data stream obtained, if existed, then continue to judge whether document to be checked is macrovirus document, wherein, when this document to be checked is macrovirus document, enter step 103.If there is not grand mark in data stream, then illustrate that this document to be checked is nontoxic document, that is, in document to be checked, there is not grand mark, namely prove there is no macrovirus in this document to be checked.
Wherein, grand mark is for identifying in document to be checked whether there is executable macrocode, that is, if there is not grand mark in document to be checked, in document to be checked, just there is not executable macrocode yet, also write by macrocode due to macrovirus and form, so can be understood as, also just not there is executable macrovirus in the document to be checked that there is not grand mark, for not executable macrovirus, it does not have destruction to document to be checked.
Step 103, described macrovirus document is changed into nontoxic document.
In the present embodiment, determine that this document to be checked is after macrovirus document, this macrovirus document is changed into nontoxic document.Wherein, macrovirus document representation infects the document of macrovirus, and nontoxic document representation does not infect the document of macrovirus.
In a preferred embodiment, be method flow diagram macrovirus document being changed into nontoxic document with reference to figure 2, Fig. 2, described method can comprise:
Step 201, the grand information of deleting in described macrovirus document, described grand information comprises grand subflow and or script flow.
In the present embodiment, after document to be checked is confirmed as macrovirus document, delete the grand information in macrovirus document, grand information comprises grand subflow and or script flow.Wherein grand subflow can be obtained by the subflow attribute directory in data stream, wherein, subflow attribute directory is used for the attribute of each subflow that memorying data flow comprises, because grand subflow has specific attribute, in subflow attribute directory, grand subflow whether can be there is in data query stream according to the attribute of grand subflow, it should be noted that data stream comprises grand subflow, and script flow can by the name acquiring of script flow.
In practical operation, judge whether to comprise in this macrovirus document grand subflow and or script flow, if existed, deleted.Concrete, first can judge whether comprise grand subflow in this macrovirus document, if existed, this grand subflow be deleted, secondly, judges whether comprise script flow in this macrovirus document, if existed, this script flow is also deleted; Also passable, first judge whether script flow exists, secondly judge whether grand subflow exists, and grand subflow and script flow are deleted; Can also judge whether grand subflow and script flow are present in document to be checked simultaneously, if exist, by exist grand subflow and or script flow delete.It should be noted that the judgement order of grand subflow and script flow is unrestricted, the deterministic process of grand subflow and script flow can not influence each other simultaneously.
Step 202, the grand mark of deleting in described macrovirus document.
In the present embodiment, after document to be checked is confirmed as macrovirus document, the grand mark in macrovirus document is deleted.When determining that document to be checked is macrovirus document, delete grand mark, to remove the executive condition of macrovirus code.
It should be noted that the execution sequence of step 201 and step 202 is unrestricted, also can perform step 201 and step 202 simultaneously.
Step 203, described macrovirus document is defined as nontoxic document.
In the present embodiment, the macrovirus file deleting grand information and grand mark is defined as nontoxic file, can be understood as, infect macrovirus document to be checked in grand information and grand mark deleted after, macrovirus in the document to be checked of this infection macrovirus is killed, that is, there is not macrovirus in document to be checked now, can normally perform simultaneously.
In the present embodiment, first the data stream of document to be checked is obtained, secondly, by judge obtain data stream in whether there is grand mark, determine whether to search for macrovirus further, when there is grand mark in a stream, judge whether described document to be checked is macrovirus document, finally, macrovirus document is changed into nontoxic document.The present invention only carries out the killing of macrovirus for the macrocode part of computer document, greatly improve the search efficiency of macrovirus.Meanwhile, by the macrovirus information deletion in infected computer document, make the information in former computer document by intact preservation, prevent the loss of information.
Further, when there is not grand mark in a stream, can determine that document to be checked is nontoxic document, determine that the method for virus-free feature code is determined compared with the method for nontoxic document, to invention increases and determine the efficiency of computer document without macrovirus with prior art by search for full text.
Embodiment two,
With reference to the method flow diagram of the macrovirus killing that figure 3, Fig. 3 provides for the present embodiment, specifically can comprise:
Step 301, default macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature.
In the present embodiment, preset macrovirus feature group, wherein, macrovirus feature group comprises at least one macrovirus feature, macrovirus character representation macrovirus is different from the feature of other type virus, and macrovirus kind is also more simultaneously, and the feature of different types of macrovirus is also different.That is, the macrovirus of a type can be determined according to macrovirus feature.
Step 302, obtain the data stream of document to be checked.
Step 302 in the present embodiment is identical with the step 101 in embodiment one, does not repeat them here.
Step 303, judge whether there is grand mark in described data stream, if not, then enter step 304, if so, then enter step 305.
In the present embodiment, first judge whether comprise grand mark in the data stream obtained, if so, enter step 304, otherwise, enter step 305.
Wherein, the mode of grand mark is inquired about not by the restriction of the present embodiment.Generally, grand mark is positioned at the front portion of document to be checked, so inquiring about grand mark generally only needs the front portion traversing document to be checked to obtain, does not need as prior art traversal method in full.
Step 304, described document to be checked is defined as nontoxic document.
In the present embodiment, when there is not grand mark in the data stream obtained, document to be checked can be defined as nontoxic document.Can be understood as, there is not grand mark in document to be checked, then prove do not have macrovirus in this document to be checked, is in fact there is not the performed macrovirus to damaging property of document to be checked.
Step 305, judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group, if so, then enters step 306.
In the present embodiment, after determining that document to be checked comprises grand mark, judge whether this document to be checked comprises the arbitrary macrovirus feature in macrovirus feature group, if so, then enters step 306.
Be judge whether document to be checked comprises the process flow diagram of one of the method for the arbitrary macrovirus feature in macrovirus feature group, specifically comprises with reference to figure 4, Fig. 4:
Step 401, judge whether described document to be checked comprises grand subflow, if so, then enters step 402, if not, then enters step 403.
In the present embodiment, when document to be checked comprises grand subflow, enter step 402; Otherwise, when not comprising grand subflow in document to be checked, enter step 403.
In practical operation, data stream comprises grand subflow, there is the catalogue comprising each subflow attribute in data stream, because grand subflow has specific attribute, so, can inquire about in this document to be checked whether comprise grand subflow by the attribute directory in data query stream.
Concrete, for how to inquire about whether comprise grand subflow in document to be checked process by the restriction of the present embodiment.
Step 402, judge whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described grand subflow, if not, then enter step 403.
In the present embodiment, when document to be checked comprises grand subflow, judge the arbitrary macrovirus feature whether comprised in grand subflow in macrovirus feature group, wherein macrovirus feature can comprise one section of specific macrovirus code.If grand subflow comprises the arbitrary macrovirus feature in macrovirus feature group, then enter step 306, otherwise, enter step 403.
Step 403, judge whether described document to be checked comprises script flow, if so, then enters step 404.
In the present embodiment, when document to be checked does not comprise in grand subflow or grand subflow the arbitrary macrovirus feature do not comprised in macrovirus feature group, judge whether this document to be checked comprises script flow, if, then enter step 306, if not, then prove that this document to be checked is nontoxic document.
In practical operation, script flow has specific title, such as _ VBA_PROJECT_CUR, can determine whether this document to be checked comprises script flow by query script stream title.
Concrete, for how to inquire about whether comprise script flow in document to be checked process by the restriction of the present embodiment.
Step 404, judge whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group.
In the present embodiment, when document to be checked comprises script flow, judge the arbitrary macrovirus feature whether comprised in script flow in macrovirus feature group, if comprised, then enter step 306, otherwise, prove that this document to be checked is nontoxic document.
In practical operation, mated by the code in script flow with the macrovirus feature in macrovirus feature group, when there is arbitrary macrovirus feature in script flow, this document to be checked is macrovirus document, otherwise this document to be checked is nontoxic document.
Be judge whether document to be checked comprises the process flow diagram of one of the method for the arbitrary macrovirus feature in macrovirus feature group, specifically comprises with reference to figure 5, Fig. 5:
Step 501, judge whether described document to be checked comprises script flow, if so, then enters step 502, if not, then enters step 503.
Step 502, judge whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described script flow, if not, then enter step 503;
Step 503, judge whether described document to be checked comprises grand subflow, if so, then enters step 504.
Step 504, judge whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
The above-mentioned difference judging whether document to be checked comprises arbitrary method of macrovirus feature in macrovirus feature group and the method for Fig. 4 is only, first judges that document to be checked comprises script flow, still first judges that document to be checked comprises grand subflow.So concrete steps describe similar to the step in Fig. 4, do not repeat them here.
Step 306, described macrovirus document is changed into nontoxic document.
Step 306 in the present embodiment is identical with the step 103 in embodiment one, repeats no more equally herein.
In the present embodiment, pre-set macrovirus feature group, comprise at least one macrovirus feature, secondly, whether there is grand mark by the data stream that judges acquisition, determine whether to search for macrovirus further, when there is grand mark in a stream, judge whether described document to be checked comprises grand subflow and script flow, and then judge arbitrary macrovirus feature of whether comprising in grand subflow, script flow in macrovirus feature group, and then determine that document to be checked is macrovirus document or nontoxic document.Compared with prior art, in the present embodiment for grand subflow and or the script flow matching process that carries out virus characteristic more targeted, improve the efficiency of search macrovirus.
Embodiment three,
Angle from macrovirus killing device is described by the embodiment of the present invention, the device of this macrovirus killing specifically can be in the client integrated, this client can be loaded in the terminal, this terminal is specifically as follows smart mobile phone, panel computer, E-book reader, MP3 (MovingPictureExpertsGroupAudioLayerIII, dynamic image expert compression standard audio frequency aspect 3) player, MP4 (MovingPictureExpertsGroupAudioLayerIV, dynamic image expert compression standard audio frequency aspect 3) player, pocket computer on knee and desk-top computer etc.
With reference to the structure drawing of device of the macrovirus killing that figure 6, Fig. 6 provides for the present embodiment, specifically comprise:
First acquisition module 601, for obtaining the data stream of document to be checked;
First judge module 602, for there is grand mark in described data stream, judges whether described document to be checked is macrovirus document;
Described first judge module 602, specifically for there is grand mark in described data stream, judges whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group.
With reference to one of structural drawing that figure 7, Fig. 7 is described first judge module 602, specifically can comprise:
First judges submodule 701, for when described document to be checked comprises grand subflow, judges whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described grand subflow;
Second judges submodule 702, for not comprising in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, judges whether described document to be checked comprises script flow;
3rd judges submodule 703, for when described second judges the result of submodule as being, judges whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
With reference to one of structural drawing that figure 8, Fig. 8 is described first judge module 602, specifically can comprise:
4th judges submodule 801, for when described document to be checked comprises script flow, judges whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described script flow;
5th judges submodule 802, for not comprising in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, judges whether described document to be checked comprises grand subflow.
6th judges submodule 803, for when the described 5th judges the result of submodule as being, judges whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
Conversion module 603, for when the result of described first judge module is for being, changes into nontoxic document by described macrovirus document.
Described conversion module 603, can comprise:
First deletes submodule, and for deleting the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow;
Second deletes submodule, for deleting the grand mark in described macrovirus document;
Determine submodule, for described macrovirus document is defined as nontoxic document.
Described device can also comprise:
Presetting module, for default macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature.
Determination module, for there is not grand mark in described data stream, is defined as nontoxic document by described document to be checked.
The embodiment of the present invention additionally provides a kind of terminal, and as shown in Figure 9, for convenience of explanation, illustrate only the part relevant to the embodiment of the present invention, concrete ins and outs do not disclose, and please refer to embodiment of the present invention method part.This terminal can comprise mobile phone, panel computer, PDA (PersonalDigitalAssistant, personal digital assistant), POS (PointofSales, point-of-sale terminal), the terminal device arbitrarily such as vehicle-mounted computer, take terminal as mobile phone be example:
Shown in Fig. 9 is the block diagram of the part-structure of the mobile phone relevant to the terminal that the embodiment of the present invention provides.With reference to figure 9, mobile phone comprises: radio frequency (RadioFrequency, RF) parts such as circuit 910, storer 920, input block 930, display unit 940, sensor 950, voicefrequency circuit 960, Wireless Fidelity (wirelessfidelity, WiFi) module 970, processor 980 and power supply 990.It will be understood by those skilled in the art that the handset structure shown in Fig. 9 does not form the restriction to mobile phone, the parts more more or less than diagram can be comprised, or combine some parts, or different parts are arranged.
Concrete introduction is carried out below in conjunction with Fig. 9 each component parts to mobile phone:
RF circuit 910 can be used for receiving and sending messages or in communication process, the reception of signal and transmission, especially, after being received by the downlink information of base station, process to processor 980; In addition, the up data of design are sent to base station.Usually, RF circuit includes but not limited to antenna, at least one amplifier, transceiver, coupling mechanism, low noise amplifier (LowNoiseAmplifier, LNA), diplexer etc.In addition, RF circuit 910 can also by radio communication and network and other devices communicatings.Above-mentioned radio communication can use arbitrary communication standard or agreement, include but not limited to global system for mobile communications (GlobalSystemofMobilecommunication, GSM), general packet radio service (GeneralPacketRadioService, GPRS), CDMA (CodeDivisionMultipleAccess, CDMA), Wideband Code Division Multiple Access (WCDMA) (WidebandCodeDivisionMultipleAccess, WCDMA), Long Term Evolution (LongTermEvolution, LTE)), Email, Short Message Service (ShortMessagingService, SMS) etc.
Storer 920 can be used for storing software program and module, and processor 980 is stored in software program and the module of storer 920 by running, thus performs various function application and the data processing of mobile phone.Storer 920 mainly can comprise storage program district and store data field, and wherein, storage program district can store operating system, application program (such as sound-playing function, image player function etc.) etc. needed at least one function; Store data field and can store the data (such as voice data, phone directory etc.) etc. created according to the use of mobile phone.In addition, storer 920 can comprise high-speed random access memory, can also comprise nonvolatile memory, such as at least one disk memory, flush memory device or other volatile solid-state parts.
Input block 930 can be used for the numeral or the character information that receive input, and generation arranges with the user of mobile phone 900 and function controls the input of relevant key signals.Particularly, input block 930 can comprise contact panel 931 and other input equipments 932.Contact panel 931, also referred to as touch-screen, user can be collected or neighbouring touch operation (such as user uses any applicable object or the operations of annex on contact panel 931 or near contact panel 931 such as finger, stylus) thereon, and drive corresponding coupling arrangement according to the formula preset.Optionally, contact panel 931 can comprise touch detecting apparatus and touch controller two parts.Wherein, touch detecting apparatus detects the touch orientation of user, and detects the signal that touch operation brings, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, then gives processor 980, and the order that energy receiving processor 980 is sent also is performed.In addition, the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave can be adopted to realize contact panel 931.Except contact panel 931, input block 930 can also comprise other input equipments 932.Particularly, other input equipments 932 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, control lever etc.
Display unit 940 can be used for the various menus showing information or the information being supplied to user and the mobile phone inputted by user.Display unit 940 can comprise display panel 941, optionally, the form such as liquid crystal display (LiquidCrystalDisplay, LCD), Organic Light Emitting Diode (OrganicLight-EmittingDiode, OLED) can be adopted to configure display panel 941.Further, contact panel 931 can cover display panel 941, when contact panel 931 detects thereon or after neighbouring touch operation, send processor 980 to determine the type of touch event, on display panel 941, provide corresponding vision to export with preprocessor 980 according to the type of touch event.Although in fig .9, contact panel 931 and display panel 941 be as two independently parts to realize input and the input function of mobile phone, but in certain embodiments, can by integrated to contact panel 931 and display panel 941 and realize the input and output function of mobile phone.
Mobile phone 900 also can comprise at least one sensor 950, such as optical sensor, motion sensor and other sensors.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor the light and shade of environmentally light can regulate the brightness of display panel 941, proximity transducer when mobile phone moves in one's ear, can cut out display panel 941 and/or backlight.As the one of motion sensor, accelerometer sensor can detect the size of all directions (are generally three axles) acceleration, size and the direction of gravity can be detected time static, can be used for identifying the application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating) of mobile phone attitude, Vibration identification correlation function (such as passometer, knock) etc.; As for mobile phone also other sensors such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor, do not repeat them here.
Voicefrequency circuit 960, loudspeaker 961, microphone 962 can provide the audio interface between user and mobile phone.Voicefrequency circuit 960 can by receive voice data conversion after electric signal, be transferred to loudspeaker 961, by loudspeaker 961 be converted to voice signal export; On the other hand, the voice signal of collection is converted to electric signal by microphone 962, voice data is converted to after being received by voicefrequency circuit 960, after again voice data output processor 980 being processed, through RF circuit 910 to send to such as another mobile phone, or export voice data to storer 920 to process further.
WiFi belongs to short range wireless transmission technology, and mobile phone can help user to send and receive e-mail by WiFi module 970, browse webpage and access streaming video etc., and its broadband internet wireless for user provides is accessed.Although Fig. 9 shows WiFi module 970, be understandable that, it does not belong to must forming of mobile phone 900, can omit in the scope of essence not changing invention as required completely.
Processor 980 is control centers of mobile phone, utilize the various piece of various interface and the whole mobile phone of connection, software program in storer 920 and/or module is stored in by running or performing, and call the data be stored in storer 920, perform various function and the process data of mobile phone, thus integral monitoring is carried out to mobile phone.Optionally, processor 980 can comprise one or more processing unit; Preferably, processor 980 accessible site application processor and modem processor, wherein, application processor mainly processes operating system, user interface and application program etc., and modem processor mainly processes radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 980.
Mobile phone 900 also comprises the power supply 990 (such as battery) of powering to all parts, preferably, power supply can be connected with processor 980 logic by power-supply management system, thus realizes the functions such as management charging, electric discharge and power managed by power-supply management system.
Although not shown, mobile phone 900 can also comprise camera, bluetooth module etc., does not repeat them here.
Specifically in the present embodiment, processor 980 in terminal can according to following instruction, executable file corresponding for the process of one or more application program is loaded in storer 920, and the application program be stored in storer 920 is run by processor 980, thus realize various function:
Obtain the data stream of document to be checked;
When there is grand mark in described data stream, judge whether described document to be checked is macrovirus document, if so, then described macrovirus document is changed into nontoxic document.
Preferably, described judge whether described document to be checked is macrovirus document before, also comprise:
Preset macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature.
Preferably, describedly judge whether described document to be checked is macrovirus document, comprising:
Judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, describedly judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group, comprising:
When described document to be checked comprises grand subflow, judge in described grand subflow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, judge whether described document to be checked comprises script flow, if so, then judge whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
Or,
When described document to be checked comprises script flow, judge in described script flow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, judge whether described document to be checked comprises grand subflow, if so, then judge whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
Preferably, described method also comprises:
When there is not grand mark in described data stream, described document to be checked is defined as nontoxic document.
Preferably, described described macrovirus document is changed into nontoxic document, comprising:
Delete the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow, and deletes the grand mark in described macrovirus document;
Described macrovirus document is defined as nontoxic document.
In the present embodiment, after obtaining the data stream of document to be checked, by judge obtain data stream in whether there is grand mark, determine whether to search for macrovirus further, when there is grand mark in a stream, judge whether described document to be checked is macrovirus document, after determining that document to be checked is macrovirus document, macrovirus document is changed into nontoxic document.The present embodiment only carries out the killing of macrovirus for the macrocode part of computer document, greatly improve the search efficiency of macrovirus.Meanwhile, by the macrovirus information deletion in infected computer document, make the information in former computer document by intact preservation, prevent the loss of information.
Further, when there is not grand mark in a stream, can determine that document to be checked is nontoxic document, determine that the method for virus-free feature code is determined compared with the method for nontoxic document, to invention increases and determine the efficiency of computer document without macrovirus with prior art by search for full text.
Further, the present invention first judge whether to comprise in document to be checked grand subflow and or script flow, secondly for grand subflow and or script flow carry out the method for the coupling of virus characteristic, determine macrovirus document, compared with prior art, the present invention is directed to grand subflow and or the method for script flow search macrovirus more targeted, also improve the efficiency of search macrovirus simultaneously.
Further, the method of the present invention by information grand in macrovirus document and grand mark are deleted, achieve macrovirus document and be converted into nontoxic document, compared with the method for the direct deletion macrovirus document of prior art, the present invention effectively prevent the loss of former document information.
It should be noted that, in this instructions, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, between each embodiment identical similar portion mutually see.For system disclosed in embodiment or device, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part illustrates see method part.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part illustrates see the part of embodiment of the method.Device embodiment described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
It should be noted that, in this article, the such as relational terms of first and second grades and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment comprising described key element and also there is other identical element.
Above the method and apparatus of the macrovirus killing that the embodiment of the present invention provides is described in detail, apply specific case herein to set forth principle of the present invention and embodiment, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (6)
1. a method for macrovirus killing, is characterized in that, described method comprises:
Obtain the data stream of document to be checked, described data stream is the structure of the raw data stored in document to be checked, and described data stream comprises grand information, and described grand information comprises grand subflow and or script flow;
Preset macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature;
When there is grand mark in described data stream, judge whether described document to be checked is macrovirus document, if so, then described macrovirus document is changed into nontoxic document;
Wherein, describedly judge whether described document to be checked is macrovirus document, comprising:
When described document to be checked comprises grand subflow, judge in described grand subflow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, determine whether document to be checked comprises script flow by query script stream title, if so, then judge whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
Or,
Determine whether document to be checked comprises script flow by query script stream title, when described document to be checked comprises script flow, judge in described script flow, whether to comprise the arbitrary macrovirus feature in described macrovirus feature group;
When described document to be checked does not comprise in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group, judge whether described document to be checked comprises grand subflow, if so, then judge whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
2. method according to claim 1, is characterized in that, described method also comprises:
When there is not grand mark in described data stream, described document to be checked is defined as nontoxic document.
3. method according to claim 1, is characterized in that, described described macrovirus document is changed into nontoxic document, comprising:
Delete the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow, and deletes the grand mark in described macrovirus document;
Described macrovirus document is defined as nontoxic document.
4. a device for macrovirus killing, is characterized in that, described device comprises:
First acquisition module, for obtaining the data stream of document to be checked, described data stream is the structure of the raw data stored in document to be checked, and described data stream comprises grand information, and described grand information comprises grand subflow and or script flow;
Presetting module, for default macrovirus feature group, described macrovirus feature group comprises at least one macrovirus feature;
First judge module, for there is grand mark in described data stream, judges whether described document to be checked is macrovirus document;
Conversion module, for when the result of described first judge module is for being, changes into nontoxic document by described macrovirus document,
Wherein, described first judge module specifically for existing grand mark in described data stream, judge whether described document to be checked comprises the arbitrary macrovirus feature in described macrovirus feature group, and described first judge module comprises:
First judges submodule, for when described document to be checked comprises grand subflow, judges whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described grand subflow;
Second judges submodule, for not comprising in grand subflow or described grand subflow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, determines whether document to be checked comprises script flow by query script stream title;
3rd judges submodule, for when described second judges the result of submodule as being, judges whether described script flow comprises the arbitrary macrovirus feature in described macrovirus feature group;
Or,
4th judges submodule, for when described document to be checked comprises script flow, judge whether comprise the arbitrary macrovirus feature in described macrovirus feature group in described script flow, wherein, whether document to be checked comprises script flow is determined by query script stream title;
5th judges submodule, for not comprising in script flow or described script flow the arbitrary macrovirus feature do not comprised in described macrovirus feature group at described document to be checked, judges whether described document to be checked comprises grand subflow;
6th judges submodule, for when the described 5th judges the result of submodule as being, judges whether described grand subflow comprises the arbitrary macrovirus feature in described macrovirus feature group.
5. device according to claim 4, is characterized in that, described device also comprises:
Determination module, for there is not grand mark in described data stream, is defined as nontoxic document by described document to be checked.
6. device according to claim 4, is characterized in that, described conversion module, comprising:
First deletes submodule, and for deleting the grand information in described macrovirus document, described grand information comprises grand subflow and or script flow;
Second deletes submodule, for deleting the grand mark in described macrovirus document;
Determine submodule, for described macrovirus document is defined as nontoxic document.
Priority Applications (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310175309.XA CN103246847B (en) | 2013-05-13 | 2013-05-13 | A kind of method and apparatus of macrovirus killing |
| TW102146233A TW201443683A (en) | 2013-05-13 | 2013-12-13 | Apparatus and method for searching and deleting macro virus |
| PCT/CN2013/089563 WO2014183434A1 (en) | 2013-05-13 | 2013-12-16 | Method and device for removing macro virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310175309.XA CN103246847B (en) | 2013-05-13 | 2013-05-13 | A kind of method and apparatus of macrovirus killing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103246847A CN103246847A (en) | 2013-08-14 |
| CN103246847B true CN103246847B (en) | 2016-03-23 |
Family
ID=48926361
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310175309.XA Active CN103246847B (en) | 2013-05-13 | 2013-05-13 | A kind of method and apparatus of macrovirus killing |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN103246847B (en) |
| TW (1) | TW201443683A (en) |
| WO (1) | WO2014183434A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246847B (en) * | 2013-05-13 | 2016-03-23 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of macrovirus killing |
| CN105488410A (en) * | 2015-05-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Detection method and system of excel macro sheet virus |
| CN107025407A (en) * | 2017-03-22 | 2017-08-08 | 国家计算机网络与信息安全管理中心 | The malicious code detecting method and system of a kind of office document files |
| CN109033831A (en) * | 2018-06-22 | 2018-12-18 | 珠海市君天电子科技有限公司 | A kind of method for detecting virus, device, electronic equipment and storage medium |
| CN111191233A (en) * | 2019-07-31 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Macro virus processing method, macro virus processing device and storage medium |
| CN111400707A (en) * | 2020-03-10 | 2020-07-10 | 深信服科技股份有限公司 | File macro virus detection method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
| CN101547126A (en) * | 2008-03-27 | 2009-09-30 | 北京启明星辰信息技术股份有限公司 | Network virus detecting method based on network data streams and device thereof |
| CN102694801A (en) * | 2012-05-21 | 2012-09-26 | 华为技术有限公司 | Method and device for detecting virus and firewall equipment |
| CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6577920B1 (en) * | 1998-10-02 | 2003-06-10 | Data Fellows Oyj | Computer virus screening |
| US6697950B1 (en) * | 1999-12-22 | 2004-02-24 | Networks Associates Technology, Inc. | Method and apparatus for detecting a macro computer virus using static analysis |
| US7210041B1 (en) * | 2001-04-30 | 2007-04-24 | Mcafee, Inc. | System and method for identifying a macro virus family using a macro virus definitions database |
| CN103246847B (en) * | 2013-05-13 | 2016-03-23 | 腾讯科技(深圳)有限公司 | A kind of method and apparatus of macrovirus killing |
-
2013
- 2013-05-13 CN CN201310175309.XA patent/CN103246847B/en active Active
- 2013-12-13 TW TW102146233A patent/TW201443683A/en unknown
- 2013-12-16 WO PCT/CN2013/089563 patent/WO2014183434A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5951698A (en) * | 1996-10-02 | 1999-09-14 | Trend Micro, Incorporated | System, apparatus and method for the detection and removal of viruses in macros |
| CN101547126A (en) * | 2008-03-27 | 2009-09-30 | 北京启明星辰信息技术股份有限公司 | Network virus detecting method based on network data streams and device thereof |
| CN102694801A (en) * | 2012-05-21 | 2012-09-26 | 华为技术有限公司 | Method and device for detecting virus and firewall equipment |
| CN102841999A (en) * | 2012-07-16 | 2012-12-26 | 北京奇虎科技有限公司 | Method and device for detecting macro virus of files |
Also Published As
| Publication number | Publication date |
|---|---|
| TW201443683A (en) | 2014-11-16 |
| CN103246847A (en) | 2013-08-14 |
| WO2014183434A1 (en) | 2014-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103246847B (en) | A kind of method and apparatus of macrovirus killing | |
| CN103716331B (en) | Method, terminal, server and system for numerical value transfer | |
| CN104518953A (en) | Message deleting method, instant messaging terminal and system | |
| CN104978115A (en) | Content display method and device | |
| CN103942113A (en) | System restarting reason detection method, device and terminal equipment | |
| CN104519485A (en) | Communication method between terminals, devices and system | |
| CN103258163B (en) | A kind of script virus recognition methods, Apparatus and system | |
| CN104572430A (en) | Method, device and system for testing terminal application interface | |
| CN104301315A (en) | Method and device for limiting information access | |
| CN104281394A (en) | Method and device for intelligently selecting words | |
| CN104238893A (en) | Video preview image displaying method and device | |
| CN104426963A (en) | Terminal associating method and terminal | |
| CN105530239A (en) | Multimedia data obtaining method and device | |
| CN104123276A (en) | Method, device and system for intercepting popup windows in browser | |
| CN106502824A (en) | Data back up method and Cloud Server | |
| CN103607377B (en) | Information sharing method, Apparatus and system | |
| CN103327029B (en) | A kind of detection method of malice network address and equipment | |
| CN105512150A (en) | Method and device for information search | |
| CN104699501A (en) | Method and device for running application program | |
| CN103944922B (en) | Data processing method, terminal, server and system | |
| CN104836717A (en) | Data processing method and apparatus, and terminal equipment | |
| CN104391629A (en) | Method for sending message in orientation manner, method for displaying message, server and terminal | |
| CN103310155B (en) | A kind of method and apparatus searching viral parent | |
| CN104702643A (en) | A webpage access method, device and system | |
| CN104580251A (en) | Method and device for authorized fast logging |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |