CN102419803B - Method, system and device for searching and killing computer virus - Google Patents
Method, system and device for searching and killing computer virus Download PDFInfo
- Publication number
- CN102419803B CN102419803B CN201110338866.XA CN201110338866A CN102419803B CN 102419803 B CN102419803 B CN 102419803B CN 201110338866 A CN201110338866 A CN 201110338866A CN 102419803 B CN102419803 B CN 102419803B
- Authority
- CN
- China
- Prior art keywords
- image data
- mirror image
- virtual machine
- virus
- type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 241000700605 Viruses Species 0.000 title claims abstract description 148
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012360 testing method Methods 0.000 claims description 18
- 238000012790 confirmation Methods 0.000 claims description 6
- 230000003213 activating effect Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims description 2
- 230000002155 anti-virotic effect Effects 0.000 abstract description 23
- 230000008569 process Effects 0.000 abstract description 7
- 238000013507 mapping Methods 0.000 abstract 1
- 230000003612 virological effect Effects 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 6
- 230000004913 activation Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 101100226366 Arabidopsis thaliana EXT3 gene Proteins 0.000 description 1
- 102100029074 Exostosin-2 Human genes 0.000 description 1
- 101000918275 Homo sapiens Exostosin-2 Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000003760 hair shine Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 208000034420 multiple type III exostoses Diseases 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method, a system and a device for searching and killing a computer virus in order to solve the problem that a virus searching and killing process for a virtual machine is complicated in the prior art. The method comprises the following steps of: acquiring a storage position of virtual machine mirror image data by a virus searching and killing server; mounting the mirror image data of the virtual machine according to the storage position of the virtual machine mirror image data and mapping the mirror image data as a virtual disk in the virus searching and killing server; running a virus scanning engine and scanning the virtual disk according to characteristics of known viruses in a virus characteristic base; and if viruses are found by scanning, removing the viruses. In the scheme, antivirus software is not required to be installed in the virtual machine and antivirus operation is not needed to be performed by a user; therefore, operation of the user is simplified greatly.
Description
Technical field
The present invention relates to computing machine and communication technical field, relate in particular to a kind of computer virus checking and killing method, a kind of computer virus checking and killing system and a kind of computer virus checking and killing device.
Background technology
Cloud computing refers to a kind of payment and use pattern of information technology infrastructure, and user obtains resource requirement by network in the mode of as required, easily expanding.Cloud computing is also extended to payment and the use pattern of service, and user obtains required service by network in the mode of as required, easily expanding.The core concept of cloud computing, is resource (the resource here comprises storage resources, computational resource, various application software) unified management and the scheduling connecting with network in a large number, and forming a resource pool provides service as required to user.Provide the network of resource to be called as in " cloud ".
Cloud computing is an important application scene of hardware virtualization technology.Hardware virtualization technology fictionalizes one or more virtual machine on a physical host, thereby makes several even tens virtual machines can share the hardware resource of a physical host.Cloud service business provides many virtual machines (these virtual machines can be distributed in different physical hosts) to rent for user, when these virtual machines are during all in running status, has been equivalent to form a huge computer cluster network.If wherein a virtual machine is with computer virus, just likely propagate to other virtual machines in cluster network, cause that network congestion, information are stolen, network connects fault etc.
For solving the killing problem of virtual machine Computer virus, prior art provides two kinds of solutions.The one, user installs antivirus software and carries out checking and killing virus in virtual machine, and its process is similar with the checking and killing virus process in normal hosts; The 2nd, the online antivirus website that user provides by the browser access antivirus software manufacturer of virtual machine, according to Website page, the browser plug-in of the forms such as ActiveX, java applet is installed in prompting, when this online antivirus website of subsequent access, carry out online antivirus by the interacting message of browser plug-in and online antivirus website.
Inventor is realizing in process of the present invention, find that prior art at least exists following defect: prior art all need to be installed checking and killing virus client in virtual machine, user need to select to install suitable antivirus software or select the suitable online antivirus website of access, technical ability to user is had relatively high expectations, and operates comparatively loaded down with trivial details.
Summary of the invention
The embodiment of the present invention provides a kind of computer virus checking and killing method, in order to solve the loaded down with trivial details problem of virtual machine checking and killing virus process operation in prior art.
Accordingly, the embodiment of the present invention also provides a kind of computer virus checking and killing device.
The technical scheme that the embodiment of the present invention provides is as follows:
A kind of computer virus checking and killing method, comprising:
Checking and killing virus server obtains the memory location of virtual machine image data;
According to the mirror image data of the memory location carry virtual machine of virtual machine image data, described mirror image data is mapped as to a virtual disk in checking and killing virus server file system;
Operation virus scanning engine, according to the feature of known viruse in virus characteristic storehouse, scans described virtual disk; If scanning result is found virus, call corresponding antivirus applet and carry out virus sweep.
A kind of computer virus checking and killing device, comprising:
Mirror image data acquisition module, for obtaining the memory location of virtual machine image data;
Carry module, for according to the memory location of virtual machine image data, the mirror image data of carry virtual machine, is mapped as a virtual disk in checking and killing virus server file system by described mirror image data;
Scanning execution module, for after the mirror image data of carry module carry virtual machine, triggers operation virus scanning engine, according to the feature of known viruse in virus characteristic storehouse, described virtual disk is scanned;
Virus killing execution module, if find virus for the scanning result of scanning execution module, calls corresponding antivirus applet and carries out virus sweep.
The first mirror image data of carry virtual machine of technical scheme checking and killing virus server of the embodiment of the present invention, and the virtual disk shining upon after mirror image data carry is carried out to virus scan; In the time that scanning result is found virus, call corresponding antivirus applet and carry out virus sweep, thereby realize the object of virtual machine being carried out to checking and killing virus.In this scheme, without antivirus software is installed in virtual machine, without user's operation of killing virus, greatly simplify user's operation.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the main principle flow chart of realizing of the embodiment of the present invention;
The deployed environment schematic diagram of the computer virus checking and killing system that Fig. 2 a provides for the embodiment of the present invention;
Fig. 2 b be in the embodiment of the present invention in the first distributed storage device the schematic diagram of memory image data;
Fig. 2 c be in the embodiment of the present invention in the second distributed storage device the schematic diagram of memory image data;
The detail flowchart of the computer virus checking and killing method that Fig. 3 provides for the embodiment of the present invention;
The structural representation of a kind of computer virus checking and killing device that Fig. 4 provides for the embodiment of the present invention;
The structural representation of carry module in the computer virus checking and killing device that Fig. 5 provides for the embodiment of the present invention;
The structural representation of determining unit in the computer virus checking and killing device that Fig. 6 provides for the embodiment of the present invention.
Embodiment
Prior art is except existing user to operate problem comparatively loaded down with trivial details, that checking and killing virus risk is larger, unpractical owing to requiring all virtual machine user all antivirus software to be consciously initiatively installed, therefore also there is the unmanageable problem of virus killing coverage rate, once certain customers do not install antivirus software on request, still can cause computer virus to be propagated in network; In virtual machine, install under the scene of antivirus software in addition, upgraded and safeguard that the antivirus software in each virtual machine is also comparatively restive.
For solving the problem of prior art, the embodiment of the present invention provides a kind of checking and killing method and killing system of computer virus.In the present embodiment, computer virus is the concept of a broad sense, comprises the various malicious codes such as wooden horse, rogue program.
Below in conjunction with each accompanying drawing, embodiment of the present invention technical scheme main realized to principle, embodiment and the beneficial effect that should be able to reach is explained in detail.
As shown in Figure 1, to realize principle process as follows for the embodiment of the present invention main:
Step 10, checking and killing virus server obtains the memory location of virtual machine image data.
Wherein, mirror image data refers to the static store form of virtual machine instance, wherein comprises VME operating system file and user file etc.In cloud computing infrastructure framework, the storage resources of virtual machine and operation resource may be distributed in different physical entities.In the time distributing certain user to use a virtual machine, pass through to load the mirror image data of this virtual machine for starting the physical host of virtual machine, realize the object that starts virtual machine.
The storage mode of load data in mirror image data (comprising VME operating system file and user file etc.) is identical with the storage mode of data in personal computer, identical for storing the Field Definition etc. of physical disk sector of data.Difference is that different virtual machine manufacturers encapsulates on the basis of load data, has increased data head, thereby has generated new mirror image data; Or some manufacturers have also carried out the processing such as compression to mirror image data.
Step 20, checking and killing virus server, according to the mirror image data of the memory location carry virtual machine of virtual machine image data, is mapped as a virtual disk in checking and killing virus server file system by described mirror image data.
Specifically, in different operating system, the form of the result of carry operation also can be different for carry.In the present embodiment, virtual disk refers to the storage object that can be identified by the operating system of checking and killing virus server.
In the situation that checking and killing virus server is Windows series operating system, after carry completes, mirror image data is mapped as a driver in checking and killing virus server file system; In the situation that checking and killing virus server is Linux, UNIX series operating system, after carry completes, mirror image data is mapped as a block device in checking and killing virus server file system.No matter be driver or block device, follow-up principle of operation is substantially similar.
Step 30, checking and killing virus server operation virus scanning engine, scans described driver or block device; If scanning result is found virus, carry out virus sweep.
Alternatively, because once virtual machine is in state of activation (being under the scene that is activated of virtual machine), mirror image data may be by real time modifying, if the now mirror image data of carry virtual machine, and the driver shining upon after carry or block device are carried out to virus scan, may will cannot ensure that scanning result can correctly reflect the safety case of the mirror image data after real time modifying, also may impact the performance of virtual machine in addition, therefore before step 10, also comprise:
Checking and killing virus server obtains virtual machine work at present state, and the duty of described virtual machine is for activating, hang up or shutdown; The work at present state of determining described virtual machine is unactivated state.
That is to say, checking and killing virus server is selected the virtual machine that work at present state is unactivated state, execution step 10~step 30.
Further, in step 20, checking and killing virus server obtains behind the memory location of virtual machine image data, determines the Format Type of mirror image data, then calls corresponding carry program carry virtual machine image data according to the type of mirror image data.Concrete horizontal glass really will be elaborated in embodiment in the back as the mode of data type.
Alternatively, know in time the safety case of virtual machine in order to make user, particularly scanning result finds that viral virtual machine user knows the safety case of virtual machine in time, after step 30, also comprises: checking and killing virus server finds that by scanning result viral information notifies to virtual machine user.For example, checking and killing virus server sends circular mail to the mailbox of described virtual machine user, carries scanning result and find viral information in this circular mail; Or the terminal device to described virtual machine user sends a notification message, in this notification message, carry scanning result and find viral information.
Below will be according to foregoing invention principle of the present invention, introduce in detail an embodiment the main principle that realizes of the inventive method is explained in detail and is illustrated.
The deployed environment schematic diagram of the computer virus checking and killing system that accompanying drawing 2a provides for the embodiment of the present invention.In this system, comprise at least one checking and killing virus server, at least one elasticity computing controller, at least one physical host and distributed storage device.Wherein, elasticity computing controller is a core component in existing cloud computing infrastructure framework, it is the maincenter of managing memory source, computational resource and other resources, wherein in the managing listings of storage, store the information such as memory address of mirror image data corresponding to the mark of the physical host for starting each virtual machine, each virtual machine instance, as shown in table 1.In the time distributing certain user to use a virtual machine, by reading this managing listings, instruction, for starting the physical host of this virtual machine, is read mirror image data and is loaded from the memory address of these virtual machine image data, thereby starts virtual machine.
In the present embodiment, the mirror image data of each virtual machine is stored in distributed storage device, wherein distributed storage device is respectively with storage area network (SAN, Storage Area Network) and network attached storage (NAS, Network Attached Storage) describe for example.
The storage mode of mirror image data in distributed storage device is relevant with the type of distributed storage device.For example, for SAN, virtual machine image data are the hard disk sector data in designated memory space (being virtual machine image data field).Other equipment, for example, for starting the physical host of virtual machine, can be used in request of access the mode of carrying " IP address+port numbers " and visit virtual machine image data field corresponding to virtual machine to be started on SAN, " IP address+port numbers " corresponding a memory block in SAN.As shown in accompanying drawing 2b.
For NAS, virtual machine image data are the image file under designated store path.Other equipment, for example, for starting the physical host of virtual machine, can pass through network file system(NFS) (NFS, Network File System) and visit virtual machine image file corresponding to virtual machine to be started on NAS.As shown in accompanying drawing 2c.
In table 1, the mirror image data of virtual machine VM1 and WM2 is stored in NAS, and the mirror image data of virtual machine VM3 is stored in NAS.
It should be noted that: shown in accompanying drawing 2a is the example that framework is implemented on a kind of cloud computing basis, the computer virus checking and killing method that the embodiment of the present invention provides is also applicable to other framework scenes, for example, in other framework scenes, be the corresponding relation of being safeguarded virtual machine mark and mirror image data address by management database.
Table 1
The detail flowchart of the computer virus checking and killing method that accompanying drawing 3 provides for the embodiment of the present invention.
Step 301, checking and killing virus startup of server scan task.
Alternatively, checking and killing virus server, according to configuration information, periodically starts scan task, for example, start weekly single pass task.In addition, can also select most of virtual machines to start scan task in the time period of unactivated state, for example 23:00~morning at night 6:00.The duty of virtual machine can obtain according to historical statistical data.
Step 302, checking and killing virus server reads the duty of current each virtual machine from elasticity computing controller.The duty of virtual machine is for activating, hang up or shutdown.Unactivated state refers to be hung up or shutdown.
Checking and killing virus server can adopt the mode of parallel processing or serial processing, to each virtual machine execution step 303~step 311, is here illustrated as an example of virtual machine WM1 example.
Step 303, checking and killing virus server judges whether the duty of virtual machine is state of activation, if state of activation is not carried out checking and killing virus to this virtual machine, if unactivated state not enters step 304.
Alternatively, if virtual machine is state of activation, checking and killing virus server can again read the duty of this virtual machine after waiting for setting-up time section.Setting-up time section rule of thumb statistics arranges, for example, wait for 2 hours and read the duty of this virtual machine afterwards again.
In the present embodiment, the work at present state of WM1 is off-mode.
Step 304, checking and killing virus server obtains the memory location of described virtual machine image data.
Alternatively, in the present embodiment, checking and killing virus server is by carrying out interacting message with elasticity computing controller, obtain elasticity and calculate the memory location of the mirror image data that in controller management list, virtual machine WM1 is corresponding, as in SAN system, the memory location of mirror image data is the address in mirror image data district, in NAS system, and the store path that the memory location of mirror image data is image file.
When implementing in framework in other forms of cloud computing, can be from obtain the memory location of virtual machine image data for the database of safeguarding virtual machine mark and mirror image data address corresponding relation.
Step 305, checking and killing virus server is determined the type of data format of described virtual machine image data.
Alternatively, the mode of determining the type of data format of mirror image data includes but not limited to:
Mode one:
Checking and killing virus server is first according to the memory location of described virtual machine image data, and whether test can successfully read the data head of mirror image data.
If can successfully read the data head of mirror image data, according to described data head, determine the type of data format of described mirror image data.For example, according to the definition of mirror image data form, type of data format field from described memory address in reading out data head, the field reading and all types of mark are compared, if consistent, determine that the type of virtual machine image data is type of data format corresponding to type identification consistent with the field reading.The type of mirror image data comprises QCOW (QEMU Copy-on-write), VMDK (VMWare Virtual Machine Disk Format), VHD (Microsoft Virtual Hard Disk format), VDI (Sun xVM VirtualBox Virtual Disk Images) etc., and a kind of dummy machine system can compatible multiple mirror image data type.
If can not successfully read the data head of mirror image data, test according to RAW form whether can successfully resolve described mirror image data, if parse operation success determines that the type of data format of described mirror image data is RAW form; Otherwise None-identified appearance is as data type, and carry is failed.The mode of RAW form memory image data is identical with the mode of storing data in personal computer, are corresponding relations of 1: 1 with physical disk data, in physical disk data, do not encapsulate, therefore resolve according to physical disk data layout, the feature of physical disk data layout includes but not limited to: the 0th sector (first 512 bytes) are Main Boot Record (MBR, Main Boot Record), there is signature word " 55AA " in this end, sector; Taking the 0th sector initial position as benchmark, the data that side-play amount is 01BEH-01FDH are disk partition tables, wherein comprise the field of describing each partitioned file system banner, etc.
Mode two:
When according to user's virtual machine application, while creating mirror image data corresponding to virtual machine instance, the type identification of the mirror image data of each virtual machine is recorded in database, in the present embodiment, type identification can be recorded in the managing listings of elasticity computing controller maintenance, as shown in table 2.In the time that checking and killing virus server need to be known the type of certain virtual machine image data, as need to be known the mirror image data type of virtual machine WM1 time, by carrying out interacting message with elasticity computing controller, obtain the type of the mirror image data of storing in the list of elasticity calculating controller management.The type that for example checking and killing virus server sends to elasticity computing controller the memory location " 192.168.0.1:/vmimages/vm1.raw " that carries virtual machine mark " WM1 " or virtual machine image data is confirmed request message, elasticity computing controller is according to the virtual machine mark of carrying or the memory location of virtual machine image data, searching and managing list, and the type of the mirror image data finding " raw " is carried in type confirmation response message and returns to checking and killing virus server.Checking and killing virus server extracts the type of the mirror image data carrying from type confirmation response message.
Table 2
In the present embodiment, the mirror image data type of virtual machine WM1 is QCOW.
Step 306, checking and killing virus server, according to described type of data format, calls corresponding carry program carry virtual machine image data.
In the present embodiment, checking and killing virus server is according to the mirror image data type QCOW of WM1, the mirror image data of the carry program carry WM1 that calling data Format Type QCOW is corresponding.
Existing operating system all provides order or the command history that can realize carry function mostly, as the order such as mount, kpartx in linux system.
In carry process, according to the corresponding relation of mirror image data type and file system type, determine the file system type (being the file system type of virtual machine) of virtual machine image data inside.The file system type of mirror image data inside can be 16 file allocation table (FAT16, File Allocation Table), FAT32, the second extended file system (EXT2, Second extended file system), the 3rd extended file system (EXT3, Third extended file system), network file system(NFS) (NTFS, New Technology File System) etc., in carry process, need to realize the support to file system with driver corresponding to file system type.
After carry completes, mirror image data is mapped as a driver in checking and killing virus server file system, and the follow-up operation to file in this driver is equivalent to the operation to file in virtual machine.
After the mirror image data of checking and killing virus server carry WM1, the mirror image data of WM1 is mapped as to driver DriverW1.
Step 307, the driver that checking and killing virus server shines upon virtual machine image data carries out virus scan, obtains scanning result.
Checking and killing virus server operation virus scanning engine, according to the feature of known viruse in enterprise-level virus characteristic storehouse, scans described driver DriverW1.
Step 308, checking and killing virus server judges in scanning result, whether to find virus, if so, enter step 309, otherwise enters step 311.
Step 309, calls corresponding antivirus applet and carries out virus sweep or isolation.
Step 310, checking and killing virus server finds that by scanning result viral information notifies to virtual machine user.
For example, checking and killing virus server sends circular mail to the mailbox of described virtual machine user, carries scanning result and find viral information in this circular mail; Or the terminal device to described virtual machine user sends a notification message, in this notification message, carry scanning result and find viral information.Wherein, scanning result finds that viral information can comprise introduction of each virus in the viral list of finding from scanning result, viral list etc.
Step 309 and step 310, also can executed in parallel without the restriction of sequencing.
Step 311, the mirror image data of cancellation carry virtual machine.
The technical scheme that the embodiment of the present invention provides is the mirror image data of carry virtual machine first, and the driver shining upon after mirror image data carry is carried out to virus scan; In the time that scanning result is found virus, call corresponding antivirus applet and carry out virus sweep, thereby realize the object of virtual machine being carried out to checking and killing virus.In this scheme, without antivirus software is installed in virtual machine, therefore greatly simplify user's operation, solved the antivirus software version updating being arranged in virtual machine and safeguarded unmanageable problem.And can carry out checking and killing virus to all virtual machines in specified scope, thereby ensure the coverage rate of checking and killing virus.
In addition, owing to only need in checking and killing virus server, virus scanning engine being installed, in each virtual machine, install compared with antivirus software with prior art, saved storage space.Due to compared with virtual machine, the advantage of checking and killing virus server on handling property and storage space, can support high-end virus scanning engine and enterprise-level virus characteristic storehouse, thereby has improved the effect of checking and killing virus.
Correspondingly, the embodiment of the present invention also provides a kind of computer virus checking and killing device, and as shown in Figure 4, this device comprises mirror image data acquisition module 401, carry module 402, scanning execution module 403, virus killing execution module 404, specific as follows:
Mirror image data acquisition module 401, for obtaining the memory location of virtual machine image data;
Carry module 402, for according to the memory location of virtual machine image data, the mirror image data of carry virtual machine, is mapped as a virtual disk in checking and killing virus server file system by described mirror image data;
Scanning execution module 403, for after the mirror image data of carry module 402 carry virtual machines, triggers operation virus scanning engine, and described virtual disk is scanned;
Virus killing execution module 404, if find virus for the scanning result of scanning execution module 403, carries out virus sweep.
Alternatively, in order to ensure the accuracy of scanning result and to reduce the impact on virtual machine performance, described computer virus checking and killing device also comprises:
Duty acquisition module 405, for obtaining virtual machine work at present state, the duty of described virtual machine is for activating, hang up or shutdown; In the time that the work at present state of confirming described virtual machine is unactivated state, triggering mirror image data acquisition module 401 obtains the memory location of described virtual machine image data.
Accompanying drawing 5 is the structural representation of carry module in described computer virus checking and killing device, and carry module 402 comprises:
Determining unit 501, for determining the type of described virtual machine image data;
Carry unit 502, for the type of the virtual machine image data determined according to determining unit 501, calls the virtual machine image data on the memory location of virtual machine image data described in corresponding carry program carry.
Please refer to accompanying drawing 6, is the structural representation of determining unit 501 in described computer virus checking and killing device.Determining unit 501 specifically comprises:
The first test subelement 601, for according to the memory location of described virtual machine image data, tests the data head that whether can successfully read mirror image data;
First determines subelement 602, if can successfully read the data head of mirror image data for the first test subelement 601, according to the type of data format field in described data head, determines the type of data format of described mirror image data;
The second test subelement 603, if can not successfully read the data head of mirror image data for the first test subelement 601, tests according to RAW form whether can successfully resolve described mirror image data;
Second determines subelement 604, if can successfully resolve described mirror image data for the second test subelement 603, determines that the type of data format of described mirror image data is RAW form.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is can carry out the hardware that instruction is relevant by program to complete, this program can be stored in a computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if these amendments of the present invention and within modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (9)
1. a computer virus checking and killing method, is characterized in that, comprising:
Checking and killing virus server obtains the memory location of the mirror image data of virtual machine;
According to mirror image data described in the memory location carry of described mirror image data, described mirror image data is mapped as to a virtual disk in described checking and killing virus server file system;
Operation virus scanning engine, scans described virtual disk; If scanning result is found virus, carry out virus sweep;
Described according to mirror image data described in the memory location carry of described mirror image data, comprising:
Determine the type of the mirror image data of described virtual machine;
According to the type of described mirror image data, call mirror image data described in corresponding carry program carry.
2. the method for claim 1, is characterized in that, described checking and killing virus server also comprises before obtaining the memory location of virtual machine image data:
Described checking and killing virus server obtains virtual machine work at present state, and the duty of described virtual machine is for activating, hang up or shutdown;
After the work at present state of confirming described virtual machine is unactivated state, carry out described checking and killing virus server and obtain the step of the memory location of the mirror image data of virtual machine.
3. method as claimed in claim 2, is characterized in that,
Described checking and killing virus server obtains virtual machine work at present state, comprising: described checking and killing virus server obtains virtual machine work at present state from elasticity computing controller;
Described checking and killing virus server obtains the memory location of virtual machine image data, comprising: described checking and killing virus server obtains the memory location of virtual machine image data from described elasticity computing controller;
Described elasticity computing controller is safeguarded each virtual machine work at present state, and stores the memory location of each virtual machine image data.
4. the method for claim 1, is characterized in that, the type of the described mirror image data of determining described virtual machine, comprising:
According to the memory location of the mirror image data of described virtual machine, whether test can successfully read the data head of described mirror image data;
If can successfully read the data head of described mirror image data, according to the type of data format field in described data head, determine the type of data format of described mirror image data;
If can not successfully read the data head of described mirror image data, test according to RAW form whether can successfully resolve described mirror image data, if can successfully resolve described mirror image data, determine that the type of data format of described mirror image data is RAW form.
5. the method for claim 1, is characterized in that, the type of the described mirror image data of determining described virtual machine, comprising:
The type that sends the memory location that carries virtual machine mark or virtual machine image data to elasticity computing controller is confirmed request message;
Receive the type confirmation response message that described elasticity computing controller is returned;
From described type confirmation response message, extract the type of the described mirror image data carrying, the type of described mirror image data is that described elasticity computing controller identifies according to the virtual machine in type confirmation request message, the corresponding relation of the virtual machine mark of preserving in the time that the mirror image data of virtual machine creates and the type of mirror image data, finds; Or described elasticity computing controller is according to the memory location in type confirmation request message, the memory location of mirror image data of virtual machine of preserving in the time that the mirror image data of virtual machine creates and the corresponding relation of the type of mirror image data, finds.
6. the method as described in claim 1,2,3 or 5, is characterized in that, after described virtual disk is scanned, also comprises: the mirror image data of virtual machine described in cancellation carry.
7. a computer virus checking and killing device, is characterized in that, comprising:
Mirror image data acquisition module, for obtaining the memory location of mirror image data of virtual machine;
Carry module, for according to the memory location of described mirror image data, mirror image data described in carry, is mapped as a virtual disk in described checking and killing virus server file system by described mirror image data;
Scanning execution module, for after mirror image data described in described carry module carry, triggers operation virus scanning engine, and described virtual disk is scanned;
Virus killing execution module, if find virus for the scanning result of described scanning execution module, carries out virus sweep;
Described carry module comprises:
Determining unit, for determining the type of mirror image data of described virtual machine;
Carry unit, for the type of the described mirror image data determined according to described determining unit, calls mirror image data described in corresponding carry program carry.
8. device as claimed in claim 7, is characterized in that, also comprises:
Duty acquisition module, for obtaining virtual machine work at present state, the duty of described virtual machine is for activating, hang up or shutdown; In the time that the work at present state of confirming described virtual machine is unactivated state, triggering mirror image data acquisition module obtains the memory location of described virtual machine image data.
9. device as claimed in claim 7, is characterized in that, described determining unit comprises:
The first test subelement, for according to the memory location of the mirror image data of described virtual machine, tests the data head that whether can successfully read described mirror image data;
First determines subelement, if can successfully read the data head of described mirror image data for described the first test subelement, according to the type of data format field in described data head, determines the type of data format of described mirror image data;
The second test subelement, if can not successfully read the data head of described mirror image data for described the first test subelement, tests according to RAW form whether can successfully resolve described mirror image data;
Second determines subelement, if can successfully resolve described mirror image data for described the second test subelement, determines that the type of data format of described mirror image data is RAW form.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110338866.XA CN102419803B (en) | 2011-11-01 | 2011-11-01 | Method, system and device for searching and killing computer virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110338866.XA CN102419803B (en) | 2011-11-01 | 2011-11-01 | Method, system and device for searching and killing computer virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102419803A CN102419803A (en) | 2012-04-18 |
| CN102419803B true CN102419803B (en) | 2014-12-03 |
Family
ID=45944210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110338866.XA Active CN102419803B (en) | 2011-11-01 | 2011-11-01 | Method, system and device for searching and killing computer virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102419803B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819470A (en) * | 2012-08-13 | 2012-12-12 | 广州杰赛科技股份有限公司 | Private cloud computing platform-based virtual machine repair method |
| CN102930208B (en) * | 2012-09-29 | 2015-11-25 | 北京奇虎科技有限公司 | A kind of disposal route of file of contaminating and system |
| CN102902925B (en) * | 2012-09-29 | 2016-08-03 | 北京奇虎科技有限公司 | The processing method of a kind of file of contaminating and system |
| US9304885B2 (en) * | 2013-06-18 | 2016-04-05 | International Business Machines Corporation | Passive monitoring of virtual systems using agent-less, near-real-time indexing |
| CN104008338B (en) * | 2014-05-08 | 2017-06-27 | 北京金山安全软件有限公司 | Android malicious program processing method, device and equipment |
| CN104298918B (en) * | 2014-09-12 | 2018-08-21 | 北京云巢动脉科技有限公司 | A kind of virus scan method and system in virtual machine based on data block |
| CN105007261A (en) * | 2015-06-02 | 2015-10-28 | 华中科技大学 | Security protection method for image file in virtual environment |
| CN106469275A (en) * | 2015-08-18 | 2017-03-01 | 中兴通讯股份有限公司 | Virtual machine virus method and device |
| CN105844162B (en) * | 2016-04-08 | 2019-03-29 | 北京北信源软件股份有限公司 | A kind of method of windows virtual machine vulnerability scanning under virtual platform |
| CN107342963A (en) * | 2016-04-28 | 2017-11-10 | 中移(苏州)软件技术有限公司 | A kind of secure virtual machine control method, system and the network equipment |
| CN106886369A (en) * | 2017-01-22 | 2017-06-23 | 武汉噢易云计算股份有限公司 | A kind of cloud hard disk management method and system based on OpenStack cloud platforms |
| CN115004184A (en) * | 2020-03-24 | 2022-09-02 | 深圳市欢太科技有限公司 | Mirror security scanning system, method, device, device and storage medium |
| CN111475807A (en) * | 2020-04-02 | 2020-07-31 | 亚信科技(成都)有限公司 | Detection method and device for movable storage equipment |
| CN114282214B (en) * | 2021-12-17 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Virus checking and killing method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | A virus online real-time processing system and method thereof |
| CN101827104A (en) * | 2010-04-27 | 2010-09-08 | 南京邮电大学 | Multi anti-virus engine-based network virus joint defense method |
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7797748B2 (en) * | 2007-12-12 | 2010-09-14 | Vmware, Inc. | On-access anti-virus mechanism for virtual machine architecture |
-
2011
- 2011-11-01 CN CN201110338866.XA patent/CN102419803B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101098226A (en) * | 2006-06-27 | 2008-01-02 | 飞塔信息科技(北京)有限公司 | A virus online real-time processing system and method thereof |
| CN101827104A (en) * | 2010-04-27 | 2010-09-08 | 南京邮电大学 | Multi anti-virus engine-based network virus joint defense method |
| CN101977188A (en) * | 2010-10-14 | 2011-02-16 | 中国科学院计算技术研究所 | Malicious program detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102419803A (en) | 2012-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102419803B (en) | Method, system and device for searching and killing computer virus | |
| US8924954B2 (en) | Application software installation method and application software installation apparatus | |
| CN110062924B (en) | Capacity reservation for virtualized graphics processing | |
| JP5904514B1 (en) | Method of automatically applying an update to a snapshot of a virtual machine, and its computer system and computer system program | |
| CN109634718B (en) | Method and system for creating mirror image by cloud platform | |
| EP2765508A1 (en) | Installation method and installation device for application software | |
| CN108475201B (en) | Data acquisition method in virtual machine starting process and cloud computing system | |
| US20170140315A1 (en) | Managing incident tickets in a cloud managed service environment | |
| WO2018090290A1 (en) | Mirror image file conversion method and apparatus | |
| JP6288275B2 (en) | Virtualization infrastructure management apparatus, virtualization infrastructure management system, virtualization infrastructure management method, and virtualization infrastructure management program | |
| US9817592B1 (en) | Using an intermediate virtual disk format for virtual disk conversion | |
| CN109375874B (en) | Method, device and equipment for calling distributed storage | |
| US9213561B2 (en) | Virtual appliance deployment | |
| US11150981B2 (en) | Fast recovery from failures in a chronologically ordered log-structured key-value storage system | |
| US12282551B2 (en) | Detection of anomalous backup files using known anomalous file fingerprints | |
| CN113296891B (en) | Platform-based multi-scenario knowledge graph processing method and device | |
| CN107908957B (en) | Safe operation management method and system of intelligent terminal | |
| CN112612417A (en) | Data migration method, device, equipment and storage medium | |
| CN109460187A (en) | A kind of qcow2 file data consistency verification method and verifying terminal | |
| CN112988460A (en) | Data backup method and device for virtual machine | |
| US9501316B2 (en) | Instantiating virtual appliances of a storage array | |
| CN114443295A (en) | Heterogeneous cloud resource management scheduling method, device and system | |
| US9201699B2 (en) | Decommissioning virtual appliances | |
| US20240020103A1 (en) | Parallelizing data processing unit provisioning | |
| CN113645046A (en) | A kind of network card driver installation method, main server and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611721 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D Applicant after: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province in 611721 Chengdu city high tech Zone West Park area Qingshui River Tianchen Road No. 5 building D Applicant before: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES Co.,Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221012 Address after: No. 1899 Xiyuan Avenue, high tech Zone (West District), Chengdu, Sichuan 610041 Patentee after: Chengdu Huawei Technologies Co.,Ltd. Address before: 611721 Area D, Building 5, High-tech Park, University of Electronic Science and Technology of China, No. 88 Tianchen Road, Qingshuihe Area, Western Park, High-tech Zone, Chengdu, Sichuan Province Patentee before: HUAWEI DIGITAL TECHNOLOGIES (CHENG DU) Co.,Ltd. |
|
| TR01 | Transfer of patent right |