CN103425927A - Device and method for removing viruses of computer documents - Google Patents

Device and method for removing viruses of computer documents Download PDF

Info

Publication number
CN103425927A
CN103425927A CN2012101511700A CN201210151170A CN103425927A CN 103425927 A CN103425927 A CN 103425927A CN 2012101511700 A CN2012101511700 A CN 2012101511700A CN 201210151170 A CN201210151170 A CN 201210151170A CN 103425927 A CN103425927 A CN 103425927A
Authority
CN
China
Prior art keywords
code
virus
computer document
document
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2012101511700A
Other languages
Chinese (zh)
Inventor
于涛
白子潘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN2012101511700A priority Critical patent/CN103425927A/en
Publication of CN103425927A publication Critical patent/CN103425927A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention relates to a device and a method for removing viruses of computer documents. The device for removing the viruses of the computer documents comprises a memory, a scanning module and a replacing module; the memory is used for storing feature codes of known viruses in advance; the scanning module is used for scanning the computer documents to determine whether virus codes are contained in the computer documents or not according to the feature codes of the viruses; the replacing module is used for replacing the virus codes in the computer documents by safe codes when the virus codes are scanned by the scanning module. The device and the method have the advantages that the virus codes in the computer documents are replaced by the safe codes when scanned by the scanning module, so that a computer document repair success rate can be increased, and a computer device can assuredly safely and reliably run.

Description

Computer document virus sweep device and sweep-out method
Technical field
The present invention relates to the computer security technical field, particularly computer document virus sweep device and sweep-out method.
Background technology
At present, user's computing machine is mostly stored a large amount of documents, such as word document, excel form etc., the very important information of the common in store user of these documents.When the destroyed venereal disease poison of user's computing machine, for example, when macrovirus infects, these documents, also can be injected into the malicious scripts such as macrovirus usually such as the office document.If during the office document that user's operation is infected by macrovirus, the malicious scripts such as macrovirus will be performed, cause computing machine to produce abnormal action, such as making computing machine automatically login malicious websites, deleting the document stored on computing machine etc., thereby threaten user's computer security, cause loss huge on user's spirit and property.
Infect virus and suffer heavy losses for fear of computer document, the method for removing at present this viroid mostly adopts viral code is directly deleted.Although the viral method of this removing can be eliminated the harm that virus is brought, when removing this viroid owing to having changed the original structure of document.So, after removing virus, also need whole document is re-started to layout according to original form.So probably cause the incorrect of document layout, thereby cause document to open, and then also can bring loss to the user.
Summary of the invention
Therefore, the invention provides computer document virus sweep device and sweep-out method, the problem existed to overcome active computer document virus sweep technology.
Particularly, a kind of computer document virus sweep device that the embodiment of the present invention proposes, comprise storer, scan module and replacement module.Wherein, storer is for pre-stored known viruse condition code; Whether scan module is for having viral code according to virus signature scanning computer document; Replacement module for replacing with security code by the viral code of computer document when scan module scans viral code.
In embodiments of the present invention, above-mentioned computer document virus sweep device for example also comprises detecting module, for detecting computer document, has or not host's code, scan module ability scanning computer document while having host's code in computer document.Above-mentioned host's code is for example macrocode.Above-mentioned security code is for example space character.
In addition, a kind of computer document virus extermination method that the embodiment of the present invention proposes, comprise step: according in virus signature scanning computer document, whether having viral code; And when scanning viral code, the viral code in computer document is replaced with to security code.
In embodiments of the present invention, above-mentioned computer document virus extermination method for example also comprises step: have or not host's code in the detecting computer document, ability scanning computer document while having host's code in computer document.Above-mentioned host's code is for example macrocode.Above-mentioned security code is for example space character
From above-described embodiment, the present invention by replacing with security code by the viral code in computer document when scanning viral code, for example the mode of space character, clean so that virus harm is removed, and can guarantee the reparation success ratio of computer document 100%.Also meet the rules of arrangement of computer document, make user's computer document can not cause any infringement simultaneously.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other purpose of the present invention, feature and advantage can be become apparent, below especially exemplified by preferred embodiment, and the cooperation accompanying drawing, be described in detail as follows.
The accompanying drawing explanation
Fig. 1 is the main block architecture diagram of the computer document virus sweep device of embodiment of the present invention proposition .
Fig. 2 is the schematic diagram that has infected the macrocode of compressed mistake in the computer document of macrovirus.
Fig. 3 is the schematic diagram after the macrocode in the computer document of Fig. 2 is eliminated macrovirus.
Fig. 4 is the flow chart of steps of the computer document virus extermination method of embodiment of the present invention proposition.
Fig. 5 is the flow chart of steps of the computer document virus extermination method of another embodiment of the present invention proposition.
Embodiment
Reach for further setting forth the present invention technological means and the effect that predetermined goal of the invention is taked, below in conjunction with accompanying drawing and preferred embodiment, computer document virus sweep device and its embodiment of sweep-out method, structure, feature and effect that foundation the present invention is proposed, be described in detail as follows.
Relevant aforementioned and other technology contents of the present invention, Characteristic, can clearly present in following the cooperation in describing in detail with reference to graphic preferred embodiment.By the explanation of embodiment, when can be to reach technological means and the effect that predetermined purpose takes to be able to more deeply and concrete understanding to the present invention, yet appended graphic only being to provide with reference to the use with explanation not be used for the present invention is limited.
Fig. 1 is the main block architecture diagram of the computer document virus sweep device of embodiment of the present invention proposition.Fig. 2 is the schematic diagram that has infected the macrocode of compressed mistake in the computer document of macrovirus.Fig. 3 is the schematic diagram after the macrocode in the computer document of Fig. 2 is eliminated macrovirus.Please jointly consult Fig. 1 to Fig. 3, computer document virus sweep device comprises: scan module 12, replacement module 13 and storer 15.Wherein, computer document virus sweep device can also comprise detecting module 11, to integrate more function.
More specifically, storer 15 is for pre-stored known viruse condition code, for example the some or all of condition code of macrovirus.
Whether detecting module 11, for by the detecting computer document, for example has host's code in computer document as shown in Figure 2.Above-mentioned host's code is for example the executable code be kept in computer document, only has when having host's code, just likely is written into macrovirus.Therefore, when thering is host's code, can be regarded as suspect code, likely with the viral code as macrovirus.If computer document is the office document, above-mentioned host's code is macrocode, if detecting module 11 detects in the office document macrocode is arranged so, judges that macrocode is suspect code for this reason, and this macrocode is likely with macrovirus.Otherwise, if detecting module 11 detects in office literary composition document without macrocode, be judged as in the office file without macrovirus.In other embodiments, also can save detecting module 11 by actual needs.
Whether scan module 12 is for having viral code according to virus signature scanning computer document, for example, while thering is host's code in computer document, can be by the host's code in the scanning computer document, macrocode for example, and this macrocode and the known viruse condition code be pre-stored within storer 15 are compared, if this macrocode with identical code is arranged in virus signature, judge that code is viral code for this reason, computer document has infected virus.Otherwise, if this macrocode judges that code is not viral code, i.e. the computer document uninfecting virus with virus signature is all not identical arbitrarily for this reason.
When if computer document virus sweep device does not arrange detecting module 11, scan module 12 is for the code of scanning computer document, and this code and the known viruse condition code be pre-stored within storer 15 are compared, if this code with identical code is arranged in virus signature, mean that computer document has infected virus.Otherwise, if this code means the computer document uninfecting virus with virus signature is all not identical arbitrarily.
Replacement module 13 when scan module 12 scans viral code by computer document, for example the viral code in the office document replaces with security code, above-mentioned security code is for example to adopt safe character to obtain after the compressed format compressing and converting of office document, and security code still meets the compression algorithm rule of office document like this.Above-mentioned safe character can be for example any ASC character, in general, more common, can adopt space, null character (NUL), asterisk * etc.Accordingly, its ASC code value is respectively 32,0 and 42, and heuristicimal code is respectively 0x20,0x00 and 0x2A.In addition, can also adopt the combination of each safe character.
As shown in Figure 3, be the schematic diagram after macrocode in the office document of Fig. 2 is eliminated the macrovirus code.After Fig. 3 has shown the removing macrovirus, the binary data of office document (showing in the sexadecimal mode) being originally that the macrovirus code all is replaced by space, is understandable that the ASC code value in space is 32, in the sexadecimal mode, is shown as 20 as seen.Aforesaid way is not changed the original structure of office document, with difference before clear virus, only is that decoded viral code replaced by space.
At this, after the code after decompress(ion) is removed virus, originally be with virulent code all by security code, for example space character is replaced, and the threat of macrovirus is just thoroughly eliminated like this.In addition, only the viral code of former compression is all replaced with to space character, the rules of arrangement that so also meets computer document, the compression algorithm rule of office document for example, do not change the original structure of computer document, can not impact original office document format, the reparation success ratio that has guaranteed computer document is 100%.
See also Fig. 1 to Fig. 4, wherein Fig. 4 is the flow chart of steps of the computer document virus extermination method of embodiment of the present invention proposition.Particularly, the computer document virus extermination method of the embodiment of the present invention can roughly comprise the following steps S202-S209.
Step S202: detecting module 11 detecting computer documents, for example in office file as shown in Figure 2, in the macrocode of compressed mistake, have or not host's code, for example macrocode and judge in the office file whether have suspect code, likely be with virulent code, for example the macrovirus code.If computer document is the office file, host's code is macrocode, if detecting module 11 detects in the office file macrocode is arranged so, carries out step S203, if detecting module 11 detects in the office file without macrocode, carries out step S205.
Step S203: detecting module 11 judges host's code for this reason, and for example macrocode is suspect code, and this macrocode is likely with virus, and for example macrovirus, carry out step S206.
Step S205: detecting module 11 is judged as computer document, for example virus-free in the office file, finishes.
Step S206: the host's code in scan module 12 scanning computer documents, macrocode for example, and this macrocode and the known viruse condition code be pre-stored within storer 15 are compared, if this macrocode with identical code is arranged in virus signature, carry out step S207, if this macrocode, with virus signature is all not identical arbitrarily, is carried out step S208.
Step S207: scan module 12 judges that code is viral code for this reason, and computer document has infected virus, carries out step S209.
Step S208: scan module 12 is judged as and judges that code is not viral code for this reason, and the computer document uninfecting virus, finish.
Step S209: replacement module 13 replaces with security code by the viral code in computer document, for example space character.
In other embodiments, when the computer document virus sweep device of the embodiment of the present invention does not arrange under the situation of detecting module 11, correspondingly can save step S202.
See also Fig. 1 to Fig. 5, wherein Fig. 5 is the flow chart of steps of the computer document virus extermination method of another embodiment of the present invention proposition.The difference of Fig. 5 and Fig. 4 is that Fig. 5 is the situation that computer document virus sweep device does not arrange detecting module 11.Particularly, the computer document virus extermination method of the embodiment of the present invention can roughly comprise the following steps S306-S309.
Step S306: the code in scan module 12 scanning computer documents, and this code and the known viruse condition code be pre-stored within storer 15 are compared to judge whether this code is viral code, if this code with identical code is arranged in virus signature, carry out step S307, if this code, with virus signature is all not identical arbitrarily, carries out step S308.
Step S307: scan module 12 judges that code is viral code for this reason, and computer document has infected virus, carries out step S309.
Step S308: scan module 12 judges that code is not viral code for this reason, and the computer document uninfecting virus, finish.
Step S309: replacement module 13 replaces with security code by the viral code in computer document, for example space character.
In sum, the present invention compares the code in computer document and the known viruse condition code be pre-stored within storer 15 by scan module 12, by replacement module 13, the viral code in computer document is replaced with to security code again, the mode of space character for example, so that virus harm is removed totally, can guarantee the reparation success ratio of computer document 100%.Rules of arrangement simultaneously that also meet computer document, the compression algorithm rule of computer document for example, make user's computer document can not cause any infringement, thereby realized the automatic identification of computer document virus, automatically removed and the automatic reparation of computer document, further infection and the destruction of computer document virus have effectively been stoped, improve the reparation success ratio of computer document, can guarantee computer installation safety, operation reliably.
The above, it is only preferred embodiment of the present invention, not the present invention is done to any pro forma restriction, although the present invention discloses as above with preferred embodiment, yet not in order to limit the present invention, any those skilled in the art, within not breaking away from the technical solution of the present invention scope, when the technology contents that can utilize above-mentioned announcement is made a little change or is modified to the equivalent embodiment of equivalent variations, in every case be not break away from the technical solution of the present invention content, any simple modification of above embodiment being done according to technical spirit of the present invention, equivalent variations and modification, all still belong in the scope of technical solution of the present invention.

Claims (8)

1. a computer document virus sweep device, it comprises:
Storer, for pre-stored known viruse condition code; And
Whether scan module, for having viral code according to described virus signature scanning computer document;
It is characterized in that, described virus sweep device also comprises:
Replacement module, for replacing with security code by the described viral code of described computer document when described scan module scans viral code.
2. virus sweep device according to claim 1, it is characterized in that: described virus sweep device also comprises:
Detecting module, have or not host's code for detecting described computer document, and while having host's code in described computer document, described scan module just scans described computer document.
3. virus sweep device according to claim 2, it is characterized in that: described host's code is macrocode.
4. virus sweep device according to claim 1, it is characterized in that: described security code is space character.
5. a computer document virus extermination method is characterized in that: comprise step:
According in virus signature scanning computer document, whether thering is viral code; And
When scanning viral code, the described viral code in described computer document is replaced with to security code.
6. whether virus extermination method according to claim 5 is characterized in that: have according to described virus signature, scanning described computer document before the step of viral code and also comprise step:
Detect in described computer document and have or not host's code, just scan described computer document while thering is host's code in described computer document.
7. virus extermination method according to claim 5, it is characterized in that: described host's code is macrocode.
8. virus extermination method according to claim 5, it is characterized in that: described security code is space character.
CN2012101511700A 2012-05-16 2012-05-16 Device and method for removing viruses of computer documents Pending CN103425927A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2012101511700A CN103425927A (en) 2012-05-16 2012-05-16 Device and method for removing viruses of computer documents

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2012101511700A CN103425927A (en) 2012-05-16 2012-05-16 Device and method for removing viruses of computer documents

Publications (1)

Publication Number Publication Date
CN103425927A true CN103425927A (en) 2013-12-04

Family

ID=49650649

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2012101511700A Pending CN103425927A (en) 2012-05-16 2012-05-16 Device and method for removing viruses of computer documents

Country Status (1)

Country Link
CN (1) CN103425927A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580200A (en) * 2014-12-31 2015-04-29 北京奇虎科技有限公司 Website protection method and device
CN108197472A (en) * 2017-12-20 2018-06-22 北京金山安全管理系统技术有限公司 macro processing method, device, storage medium and processor
CN111241542A (en) * 2020-01-03 2020-06-05 广州集韵信息科技有限公司 Novel computer cloud security service platform all-in-one
CN114244610A (en) * 2021-12-17 2022-03-25 山石网科通信技术股份有限公司 File transmission method and device, network security equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1221921A (en) * 1997-12-31 1999-07-07 圣典科技股份有限公司 Detecting method of computer program MS-word document macro virus
US5951698A (en) * 1996-10-02 1999-09-14 Trend Micro, Incorporated System, apparatus and method for the detection and removal of viruses in macros
CN1766779A (en) * 2004-10-29 2006-05-03 微软公司 Document stamping antivirus manifest
CN101039177A (en) * 2007-04-27 2007-09-19 珠海金山软件股份有限公司 Apparatus and method for on-line searching virus
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
US20090187768A1 (en) * 2002-01-30 2009-07-23 Carbone Kevin J Software virus detection methods, apparatus and articles of manufacture
WO2011003958A1 (en) * 2009-07-10 2011-01-13 F-Secure Corporation Anti-virus scanning
CN101950336A (en) * 2010-08-18 2011-01-19 奇智软件(北京)有限公司 Method and device for removing malicious programs

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5951698A (en) * 1996-10-02 1999-09-14 Trend Micro, Incorporated System, apparatus and method for the detection and removal of viruses in macros
CN1221921A (en) * 1997-12-31 1999-07-07 圣典科技股份有限公司 Detecting method of computer program MS-word document macro virus
US20090187768A1 (en) * 2002-01-30 2009-07-23 Carbone Kevin J Software virus detection methods, apparatus and articles of manufacture
CN1766779A (en) * 2004-10-29 2006-05-03 微软公司 Document stamping antivirus manifest
CN101039177A (en) * 2007-04-27 2007-09-19 珠海金山软件股份有限公司 Apparatus and method for on-line searching virus
CN101308533A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Method, apparatus and system for virus checking and killing
WO2011003958A1 (en) * 2009-07-10 2011-01-13 F-Secure Corporation Anti-virus scanning
CN101950336A (en) * 2010-08-18 2011-01-19 奇智软件(北京)有限公司 Method and device for removing malicious programs

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580200A (en) * 2014-12-31 2015-04-29 北京奇虎科技有限公司 Website protection method and device
CN108197472A (en) * 2017-12-20 2018-06-22 北京金山安全管理系统技术有限公司 macro processing method, device, storage medium and processor
CN111241542A (en) * 2020-01-03 2020-06-05 广州集韵信息科技有限公司 Novel computer cloud security service platform all-in-one
CN114244610A (en) * 2021-12-17 2022-03-25 山石网科通信技术股份有限公司 File transmission method and device, network security equipment and storage medium

Similar Documents

Publication Publication Date Title
CN101950336B (en) A kind of method and apparatus removing rogue program
US8356354B2 (en) Silent-mode signature testing in anti-malware processing
US8719928B2 (en) Method and system for detecting malware using a remote server
US8763130B2 (en) Protecting a mobile device against a denial of service attack
CN103839002A (en) Website source code malicious link injection monitoring method and device
CN103020521B (en) Wooden horse scan method and system
KR101663013B1 (en) Apparatus and method for detecting code injection attack
CN103425927A (en) Device and method for removing viruses of computer documents
CN101930515B (en) System and method for safely decompressing compressed file
IL181426A (en) Automatic extraction of signatures for malware
WO2021017318A1 (en) Cross-site scripting attack protection method and apparatus, device and storage medium
CN106203102B (en) A kind of checking and killing virus method and device of the whole network terminal
CN101154253B (en) Computer security protection method and computer security protection instrument
CN102208002A (en) Novel computer virus scanning and killing device
CA3025422A1 (en) Virus detection technologies benchmarking
CN102004882A (en) Method and device for detecting and processing remote-thread injection type Trojan
CN102867146A (en) Method and system for preventing computer virus from frequently infecting systems
CN107506645A (en) A kind of detection method and device for extorting virus
CN113141331A (en) XSS attack detection method, device, equipment and medium
CN102314571A (en) Method and device for processing computer viruses
CN103605923A (en) USB (universal serial bus) Key equipment identifier
CN108897721B (en) Method and device for decoding multiple kinds of coded data
CN115840940A (en) File-free Trojan horse detection method, system, medium and equipment
CN111881047B (en) Method and device for processing obfuscated script
KR101427412B1 (en) Method and device for detecting malicious code for preventing outflow data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20131204