[go: up one dir, main page]

CN119232406A - Mail processing method, device, equipment and storage medium based on Trojan virus - Google Patents

Mail processing method, device, equipment and storage medium based on Trojan virus Download PDF

Info

Publication number
CN119232406A
CN119232406A CN202310791195.5A CN202310791195A CN119232406A CN 119232406 A CN119232406 A CN 119232406A CN 202310791195 A CN202310791195 A CN 202310791195A CN 119232406 A CN119232406 A CN 119232406A
Authority
CN
China
Prior art keywords
virus
mail
trojan
information
trojan virus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310791195.5A
Other languages
Chinese (zh)
Inventor
陈松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202310791195.5A priority Critical patent/CN119232406A/en
Publication of CN119232406A publication Critical patent/CN119232406A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本发明涉及互联网安全技术领域,公开了一种基于木马病毒的邮件处置方法、装置、设备及存储介质,所述方法包括:在木马病毒邮件未被拦截时,确定接收木马病毒邮件的目标账户信息;根据目标账户信息获取木马病毒邮件的病毒特征信息;根据病毒特征信息确定安全联动设备;通过安全联动设备对木马病毒邮件进行联动处置。相较于现有技术中需要人工检测木马病毒邮件,之后对木马病毒邮件进行人工处置,而本发明在检测到木马病毒邮件时,根据木马病毒邮件对应的病毒特征信息确定安全联动设备,之后通过安全联动设备对木马病毒邮件进行联动处置,从而提高了木马病毒邮件的处置效率。

The present invention relates to the field of Internet security technology, and discloses a mail processing method, device, equipment and storage medium based on Trojan virus, wherein the method comprises: when the Trojan virus mail is not intercepted, determining the target account information for receiving the Trojan virus mail; obtaining the virus feature information of the Trojan virus mail according to the target account information; determining the security linkage device according to the virus feature information; and performing linkage processing on the Trojan virus mail through the security linkage device. Compared with the prior art that requires manual detection of Trojan virus mail and then manual processing of the Trojan virus mail, the present invention determines the security linkage device according to the virus feature information corresponding to the Trojan virus mail when the Trojan virus mail is detected, and then performs linkage processing on the Trojan virus mail through the security linkage device, thereby improving the processing efficiency of the Trojan virus mail.

Description

Trojan horse virus-based mail handling method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of internet security, in particular to a Trojan horse virus-based mail handling method, device and equipment and a storage medium.
Background
The Trojan virus is a network virus with hidden disguise, is sent out through an E-mail attachment and is bound in other programs, once the Trojan virus is started, a back door can be set, privacy of a user can be sent to an address appointed by the Trojan program at regular time, the computer can be controlled randomly to perform illegal operations such as file deletion, copying, password changing and the like, whether the Trojan virus mail is carried in the mail needs to be detected manually at regular time in the prior art, and when the Trojan virus mail is detected, the Trojan virus mail needs to be cleared manually, so that the treatment efficiency of the Trojan virus mail is low.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a Trojan virus-based mail handling method, device, equipment and storage medium, which aim to solve the technical problem of how to improve the handling efficiency of Trojan virus mails.
In order to achieve the above object, the present invention provides a Trojan virus-based mail handling method, comprising the steps of:
when the Trojan virus mail is not intercepted, determining target account information for receiving the Trojan virus mail;
Acquiring virus characteristic information of the Trojan horse virus mail according to the target account information;
determining safety linkage equipment according to the virus characteristic information;
And carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment.
Optionally, before the step of determining to receive the target account information of the Trojan virus mail when the Trojan virus mail is not intercepted, the method further includes:
mail alarm information is obtained through the safety detection equipment;
determining Trojan horse virus event according to the mail alarm information;
analyzing the Trojan horse virus event to obtain Trojan horse virus infection information;
And determining Trojan virus mails according to the Trojan virus infection information.
Optionally, after the step of determining the Trojan virus mail according to the Trojan virus infection information, the method further comprises:
Intercepting the Trojan virus mail through mail gateway equipment to obtain mail interception information;
Judging whether the mail interception information meets a preset interception condition or not;
And when the mail interception information does not meet the preset interception condition, judging that the Trojan horse virus mail is not intercepted.
Optionally, after the step of determining whether the mail interception information meets the preset interception condition, the method further includes:
when the mail interception information meets the preset interception condition, generating interception alarm information according to the mail interception information;
and sending the interception alarm information to a corresponding target management terminal.
Optionally, before the step of determining the target account information of the Trojan virus mail, the method further includes:
Acquiring mail handling information of the Trojan horse virus mail;
judging whether the mail disposal information meets preset mail receiving conditions or not;
And executing the step of determining to receive the target account information of the Trojan horse virus mail when the mail handling information meets the preset mail receiving condition.
Optionally, after the step of determining whether the mail handling information meets the preset mail receiving condition, the method further includes:
When the mail handling information does not meet the preset mail receiving conditions, determining delivery account information of the Trojan horse virus mail;
and adding the delivery account information to a mail blacklist so that mail interception equipment intercepts mails sent by the delivery account information according to the mail blacklist.
Optionally, the step of acquiring virus characteristic information of the Trojan horse virus mail according to the target account information includes:
extracting virus sample information from the Trojan horse virus mail according to the target account information;
and analyzing the virus sample information to obtain virus characteristic information of the Trojan horse virus mail.
Optionally, the step of analyzing the virus sample information to obtain virus characteristic information of the Trojan horse virus mail includes:
Acquiring login terminal information corresponding to the target account information;
Determining a security detection device according to the login terminal information;
And analyzing the virus sample information through the safety detection equipment to obtain the virus characteristic information of the Trojan horse virus mail.
Optionally, the step of determining a safety linkage device according to the virus characteristic information includes:
analyzing the virus characteristic information to obtain Trojan horse virus information;
And determining safety linkage equipment according to the Trojan horse virus information.
Optionally, the step of determining the safety linkage device according to the Trojan virus information includes:
Judging whether the Trojan horse virus information meets a preset virus condition or not;
When the Trojan horse virus information meets the preset virus conditions, determining Trojan horse virus grade according to the Trojan horse virus information;
and determining the safety linkage equipment according to the Trojan horse virus grade.
Optionally, the step of performing linkage treatment on the Trojan virus mail through the safety linkage device includes:
determining domain name information and address information corresponding to the Trojan virus mail;
Determining a preset virus blocking strategy according to the domain name information, the address information and the safety linkage equipment;
and carrying out linkage treatment on the Trojan horse virus mail through the safety linkage equipment based on the preset virus blocking strategy.
Optionally, after the step of performing linkage treatment on the Trojan virus mail through the safety linkage device based on the preset virus blocking policy, the method further includes:
generating a Trojan virus log according to the linkage treatment result of the Trojan virus mail;
Determining the collapse information of the terminal host according to the Trojan virus log;
determining a preset host disposal strategy according to the terminal host collapse information;
And carrying out isolation treatment on the terminal host according to the preset host treatment strategy.
In addition, in order to achieve the above object, the present invention also proposes a Trojan virus-based mail handling device, comprising:
The determining module is used for determining target account information for receiving the Trojan virus mail when the Trojan virus mail is not intercepted;
The acquisition module is used for acquiring virus characteristic information of the Trojan horse virus mail according to the target account information;
the determining module is further used for determining safety linkage equipment according to the virus characteristic information;
And the disposal module is used for carrying out linkage disposal on the Trojan horse virus mail through the safety linkage equipment.
Optionally, the Trojan virus-based mail handling device further comprises a judging module;
The judging module is used for acquiring mail handling information of the Trojan horse virus mail;
the judging module is further used for judging whether the mail handling information meets preset mail receiving conditions or not;
The judging module is further configured to execute the operation of determining to receive the target account information of the Trojan horse virus mail when the mail handling information meets the preset mail receiving condition.
Optionally, the obtaining module is further configured to extract virus sample information from the Trojan horse virus mail according to the target account information;
The acquisition module is also used for analyzing the virus sample information to obtain the virus characteristic information of the Trojan horse virus mail.
Optionally, the determining module is further configured to analyze the virus characteristic information to obtain Trojan horse virus information;
the determining module is further used for determining the safety linkage equipment according to the Trojan horse virus information.
Optionally, the processing module is further configured to determine domain name information and address information corresponding to the Trojan virus mail;
The disposal module is further used for determining a preset virus blocking policy according to the domain name information, the address information and the safety linkage equipment;
the processing module is further configured to perform linkage processing on the Trojan horse virus mail through the security linkage device based on the preset virus blocking policy.
Optionally, the processing module is further configured to generate a Trojan virus log according to a linked processing result of the Trojan virus mail;
the disposal module is further used for determining the collapse information of the terminal host according to the Trojan virus log;
the disposal module is further configured to determine a preset host disposal policy according to the terminal host collapse information;
and the disposal module is further used for carrying out isolation disposal on the terminal host according to the preset host disposal policy.
In addition, in order to achieve the aim, the invention also provides a Trojan virus-based mail handling device, which comprises a memory, a processor and a Trojan virus-based mail handling program which is stored on the memory and can run on the processor, wherein the Trojan virus-based mail handling program is configured to realize the steps of the Trojan virus-based mail handling method.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a Trojan virus-based mail handling program which, when executed by a processor, implements the steps of the Trojan virus-based mail handling method as described above.
When the Trojan virus mail is not intercepted, the method comprises the steps of firstly determining target account information of the Trojan virus mail, then acquiring virus characteristic information of the Trojan virus mail according to the target account information, determining safety linkage equipment according to the virus characteristic information, and then carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment. Compared with the prior art that the Trojan virus mail is required to be detected manually, and then the Trojan virus mail is treated manually, when the Trojan virus mail is detected, the safety linkage equipment is determined according to the virus characteristic information corresponding to the Trojan virus mail, and then the Trojan virus mail is treated in a linkage way through the safety linkage equipment, so that the treatment efficiency of the Trojan virus mail is improved, and further the user experience is improved.
Drawings
Fig. 1 is a schematic structural diagram of a Trojan virus-based mail handling device in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a Trojan virus-based mail handling method according to the present invention;
FIG. 3 is a flowchart of a second embodiment of a Trojan virus-based mail handling method according to the present invention;
FIG. 4 is a flowchart of a third embodiment of a Trojan virus-based mail handling method according to the present invention;
fig. 5 is a block diagram showing the construction of a first embodiment of a Trojan virus-based mail handling apparatus according to the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a hardware running environment mail handling device based on Trojan horse virus according to an embodiment of the present invention.
As shown in fig. 1, the Trojan virus based mail handling device may include a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 does not constitute a limitation of a Trojan virus based mail handling device, and may include more or fewer components than shown, or certain components in combination, or a different arrangement of components.
As shown in fig. 1, an operating system, a data storage module, a network communication module, a user interface module, and a Trojan virus-based mail handler may be included in the memory 1005 as one storage medium.
In the Trojan virus-based mail handling device shown in fig. 1, the network interface 1004 is mainly used for data communication with the network server, the user interface 1003 is mainly used for data interaction with a user, and the processor 1001 and the memory 1005 in the Trojan virus-based mail handling device can be arranged in the Trojan virus-based mail handling device, and the Trojan virus-based mail handling device calls a Trojan virus-based mail handling program stored in the memory 1005 through the processor 1001 and executes the Trojan virus-based mail handling method provided by the embodiment of the invention.
The embodiment of the invention provides a Trojan virus-based mail handling method, and referring to fig. 2, fig. 2 is a flow diagram of a first embodiment of the Trojan virus-based mail handling method.
In this embodiment, the method for handling the mail based on the Trojan horse virus includes the following steps:
And S10, when the Trojan virus mail is not intercepted, determining target account information for receiving the Trojan virus mail.
It is to be understood that the execution body of the embodiment may be a Trojan virus-based mail processing device with functions of data processing, network communication, program running, etc., or may be other computer devices with similar functions, and the embodiment is not limited thereto.
It can be understood that the Trojan virus mail is a mail carrying Trojan virus, once the Trojan virus mail is opened by a user, the terminal is invaded by Trojan virus, and then the computer can be controlled at will to perform illegal operations such as file deletion, copying, password changing and the like.
The target account information of the Trojan virus mail is mailbox account information for receiving the Trojan virus mail, and the like.
Further, in order to accurately determine the Trojan virus mail, before the step of determining the target account information of the Trojan virus mail, the step of receiving the target account information of the Trojan virus mail is required to obtain mail alarm information through a safety detection device, then determining Trojan virus events according to the mail alarm information, then analyzing the Trojan virus events to obtain Trojan virus infection information, and determining the Trojan virus mail according to the Trojan virus infection information.
It should also be understood that the mail alarm information is virus alarm information generated by the security device, where the virus alarm information includes discovery of delivery of Trojan virus event or discovery of delivery of other virus event.
In a specific implementation, when a Trojan virus event is found to be delivered, the Trojan virus event needs to be analyzed to obtain Trojan virus infection information, wherein the Trojan virus infection information comprises Trojan virus specific delivery modes, such as link delivery or mail delivery, and then Trojan virus mail or Trojan virus link and the like can be determined according to the Trojan virus infection information.
In this embodiment, the security device may perform advanced threat detection and malicious analysis on the Trojan mail by the alert generated by the security device to discover delivery of the virus Trojan mail event. The method comprises the steps of sending a Trojan virus event to a mail gateway, wherein the mail gateway can intercept Trojan virus mails to obtain mail interception information, judging whether the mail interception information meets preset interception conditions, judging that the Trojan virus mails are not intercepted when the mail interception information does not meet the preset interception conditions, generating interception alarm information according to the mail interception information when the mail interception information meets the preset interception conditions, and sending the interception alarm information to a corresponding target management terminal.
It should be understood that the preset interception condition is that the Trojan virus mail is intercepted, and the mail interception information includes mail intercepted information, mail non-intercepted information, and the like. The target management terminal may be a terminal managed by a responsible person responsible for Trojan horse virus, or may be an associated terminal corresponding to target account information.
In a specific implementation, when the Trojan virus mail is not intercepted by the mail gateway, mail handling information of the Trojan virus mail is needed, whether the mail handling information meets preset mail receiving conditions is judged, when the mail handling information does not meet the preset mail receiving conditions, delivery account information of the Trojan virus mail is determined, the delivery account information is added to a mail blacklist, so that mail interception equipment intercepts the mail sent by the delivery account information according to the mail blacklist, and when the mail handling information meets the preset mail receiving conditions, target account information for receiving the Trojan virus mail is determined.
It should be noted that the mail handling information may be status information of the current Trojan virus mail, such as a mail receiving status or a mail non-receiving status. The preset mail receiving condition is that the user has received Trojan horse virus mail, etc.
In this embodiment, through the alarm generated by the security device, the event of delivering the virus Trojan horse mail is found, whether the mail gateway intercepts is firstly determined, if the mail gateway intercepts, no processing is needed, otherwise, a relevant mailbox account is determined according to the alarm, then, a relevant virus Trojan horse mail is determined according to the alarm information, whether the user accepts the mail is determined, if not, the user is confirmed to be not damaged, and the user is notified to be unopened, etc. If the user is accepted, inquiring whether the user is opened, if the user is not opened, informing the user that the user is not opened, and if the user is opened, entering a host processing flow, wherein the host processing flow comprises isolating a host and informing a technician to perform the processing of getting on the machine, deleting mails, clearing Trojan horse, recovering business and the like.
And step S20, acquiring virus characteristic information of the Trojan horse virus mail according to the target account information.
Further, in order to accurately obtain virus characteristic information, the processing manner of obtaining virus characteristic information of the Trojan virus mail according to the target account information may be to extract virus sample information from the Trojan virus mail according to the target account information, and then analyze the virus sample information to obtain virus characteristic information of the Trojan virus mail.
It should also be appreciated that the virus sample information may be part of the Trojan virus information in the Trojan virus mail and the virus characteristic information may be information related to Trojan virus, such as Trojan virus toxicity information, related domain name or Internet protocol (Internet Protocol, IP) address, etc.
In a specific implementation, the step of analyzing the virus sample information to obtain virus characteristic information of the Trojan virus mail may be to obtain login terminal information corresponding to the target account information, and then determine a security detection device according to the login terminal information, and analyze the virus sample information through the security detection device to obtain the virus characteristic information of the Trojan virus mail.
The login terminal information is the terminal device which is logged in when the Trojan virus mail is currently received, and the security detection device is the security device which exists in the currently logged-in terminal device, such as an intrusion detection system or a sandbox device.
In this embodiment, virus sample information may be obtained by the intrusion detection system, and then the virus sample information is analyzed by the linked sandbox to obtain virus characteristic information, where the virus characteristic information includes Trojan horse virus information, related domain name or IP address, and the like.
And step S30, determining safety linkage equipment according to the virus characteristic information.
Further, in order to improve the processing efficiency of the Trojan virus mail, the processing mode of determining the safety linkage equipment according to the virus characteristic information may be to analyze the virus characteristic information to obtain Trojan virus information, judge whether the Trojan virus information meets the preset virus condition, determine the Trojan virus grade according to the Trojan virus information when the Trojan virus information meets the preset virus condition, and then determine the safety linkage equipment according to the Trojan virus grade.
It should also be understood that the preset virus condition is that the Trojan virus mail is a toxic mail, the Trojan virus information includes Trojan virus toxic information, trojan virus non-toxic information and the like, and the safety linkage equipment can be safety equipment such as a firewall and the like.
In the specific implementation, if the Trojan virus mail is nontoxic, the process is finished, and if the Trojan virus mail is toxic, the safety linkage equipment can be a firewall or the like.
And S40, carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment.
Further, in order to improve the treatment efficiency of the Trojan virus mail, the treatment mode of carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment can be to determine domain name information and address information corresponding to the Trojan virus mail, then a preset virus blocking strategy is determined according to the domain name information, the address information and the safety linkage equipment, and linkage treatment is carried out on the Trojan virus mail through the safety linkage equipment based on the preset virus blocking strategy.
It should be further noted that the preset virus blocking policy may be set for user definition, for example, the linkage firewall blocks related domain names and IPs.
In this embodiment, the Trojan virus mail is subjected to linkage treatment through the safety linkage equipment based on a preset virus blocking policy, a Trojan virus log is generated according to the linkage treatment result of the Trojan virus mail, the collapse information of the terminal host is determined according to the Trojan virus log, the preset host treatment policy is determined according to the collapse information of the terminal host, and the terminal host is isolated according to the preset host treatment policy.
In the specific implementation, whether a host is in sag is analyzed according to the linkage treatment result of Trojan virus mail, alarm and terminal endpoint detection and response ((Endpoint Detection and Response, EDR) logs, the host sag analysis strategy can be communication flow of a communication domain name or IP in the flow, other abnormal safe operation alarms are generated by the terminal EDR, actions are consistent with the sandbox virus analysis result and the like, a preset host treatment strategy is determined according to the host sag analysis result, the preset host treatment strategy can be an isolation host, technicians are notified to perform on-line treatment, mail deletion, trojan clearing, service recovery and the like, finally, the terminal host is treated according to the preset host treatment strategy, the invasion reasons of a compound disk are summarized, the defects in data/service recovery are summarized, and the overall safety capability is improved according to the existing situation.
In this embodiment, when the Trojan virus mail is not intercepted, the target account information of the Trojan virus mail is determined, then the virus characteristic information of the Trojan virus mail is obtained according to the target account information, the safety linkage equipment is determined according to the virus characteristic information, and then the Trojan virus mail is treated in a linkage way through the safety linkage equipment. Compared with the prior art that the Trojan virus mail needs to be detected manually, the Trojan virus mail is treated manually, and in the embodiment, when the Trojan virus mail is detected, the safety linkage equipment is determined according to the virus characteristic information corresponding to the Trojan virus mail, and then the Trojan virus mail is treated in a linkage way through the safety linkage equipment, so that the treatment efficiency of the Trojan virus mail is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of a method for handling a mail based on a Trojan virus according to the present invention.
Based on the first embodiment, in this embodiment, the step S10 includes:
and step S101, when the Trojan virus mail is not intercepted, acquiring mail disposal information of the Trojan virus mail.
It can be understood that the Trojan virus mail is a mail carrying Trojan virus, once the Trojan virus mail is opened by a user, the terminal is invaded by Trojan virus, and then the computer can be controlled at will to perform illegal operations such as file deletion, copying, password changing and the like.
Further, in order to be able to rapidly process the Trojan virus mail, before the step of obtaining the mail handling information of the Trojan virus mail when the Trojan virus mail is not intercepted, mail alarm information needs to be obtained through a security detection device, then a Trojan virus event is determined according to the mail alarm information, then the Trojan virus event is analyzed to obtain Trojan virus infection information, and the Trojan virus mail is determined according to the Trojan virus infection information.
It should also be understood that the mail alarm information is virus alarm information generated by the security device, where the virus alarm information includes discovery of delivery of Trojan virus event or discovery of delivery of other virus event.
In a specific implementation, when a Trojan virus event is found to be delivered, the Trojan virus event needs to be analyzed to obtain Trojan virus infection information, wherein the Trojan virus infection information comprises Trojan virus specific delivery modes, such as link delivery or mail delivery, and then Trojan virus mail or Trojan virus link and the like can be determined according to the Trojan virus infection information.
In this embodiment, a delivery virus Trojan mail event is discovered through an alarm generated by the security device. The method comprises the steps of sending a Trojan virus event to a mail gateway, wherein the mail gateway can intercept Trojan virus mails to obtain mail interception information, judging whether the mail interception information meets preset interception conditions, judging that the Trojan virus mails are not intercepted when the mail interception information does not meet the preset interception conditions, generating interception alarm information according to the mail interception information when the mail interception information meets the preset interception conditions, and sending the interception alarm information to a corresponding target management terminal.
It should be understood that the preset interception condition is that the Trojan virus mail is intercepted, and the mail interception information includes mail intercepted information, mail non-intercepted information, and the like. The target management terminal may be a terminal managed by a responsible person responsible for Trojan horse virus, or may be an associated terminal corresponding to target account information.
In a specific implementation, when the Trojan virus mail is not intercepted by the mail gateway, mail handling information of the Trojan virus mail is also required, and the mail handling information can be state information of the Trojan virus mail, such as a mail receiving state or a mail non-receiving state, and the like.
Step S102, judging whether the mail disposal information meets the preset mail receiving condition.
The preset mail receiving condition is that the user has received a Trojan virus mail, etc.
Step S103, when the mail disposal information meets the preset mail receiving condition, determining to receive target account information of the Trojan horse virus mail.
The target account information of the Trojan virus mail is mailbox account information for receiving the Trojan virus mail, and the like.
In the embodiment, when the mail disposal information does not meet the preset mail receiving condition, the delivery account information of the Trojan virus mail is determined, the delivery account information is added to a mail blacklist, so that the mail interception equipment intercepts the mail sent by the delivery account information according to the mail blacklist, and when the mail disposal information meets the preset mail receiving condition, the target account information for receiving the Trojan virus mail is determined.
In the specific implementation, the alarm generated by the security device is used for finding out the event of delivering the virus Trojan horse mail, firstly judging whether the mail gateway intercepts or not, if the mail gateway intercepts, no processing is needed, otherwise, determining a relevant mailbox account according to the alarm, then determining the relevant virus Trojan horse mail according to the alarm information, determining whether the user accepts the mail or not, if not, confirming that the user is not damaged, notifying the user that the user cannot be opened, and the like. If the user is accepted, inquiring whether the user is opened, if the user is not opened, informing the user that the user is not opened, and if the user is opened, entering a host processing flow, wherein the host processing flow comprises isolating a host and informing a technician to perform the processing of getting on the machine, deleting mails, clearing Trojan horse, recovering business and the like.
In this embodiment, when the Trojan virus mail is not intercepted, mail handling information of the Trojan virus mail is firstly obtained, whether the mail handling information meets preset mail receiving conditions is judged, and when the mail handling information meets the preset mail receiving conditions, target account information of the Trojan virus mail is determined to be received.
Referring to fig. 4, fig. 4 is a flowchart of a third embodiment of a method for handling a mail based on a Trojan virus according to the present invention.
Based on the first embodiment, in this embodiment, after the step S40, the method further includes:
Step S401, determining domain name information and address information corresponding to the Trojan virus mail.
In this embodiment, virus sample information may be obtained by the intrusion detection system, and then the virus sample information is analyzed by the linked sandbox to obtain virus characteristic information, where the virus characteristic information includes Trojan horse virus information, related domain name or IP address, and the like.
Step S402, determining a preset virus blocking strategy according to the domain name information, the address information and the safety linkage equipment.
It should be further noted that the preset virus blocking policy may be set for user definition, for example, the linkage firewall blocks related domain names and IPs.
Step S403, carrying out linkage treatment on the Trojan horse virus mail through the safety linkage equipment based on the preset virus blocking strategy.
It should be noted that, based on a preset virus blocking policy, the Trojan virus mail is subjected to linkage treatment through the safety linkage equipment, a Trojan virus log is generated according to the linkage treatment result of the Trojan virus mail, the collapse information of the terminal host is determined according to the Trojan virus log, the preset host treatment policy is determined according to the collapse information of the terminal host, and the terminal host is isolated according to the preset host treatment policy.
In the specific implementation, whether the host is lost or not is analyzed according to the linkage treatment result of the Trojan virus mail and the combination of the flow, the alarm and the terminal EDR log, the strategy for analyzing the host lost can be that communication flow of a communication domain name or IP in the flow and the sandbox analysis result is generated, the terminal EDR generates other abnormal safe operation alarms, the action is consistent with the sandbox virus analysis result and the like. And then determining a preset host disposal strategy according to the analysis host collapse result, wherein the preset host disposal strategy can be an isolated host, and notifying a technician to perform on-line processing, mail deletion, trojan horse clarification, service restoration and the like. And finally, disposing the terminal host according to a preset host disposing strategy, summarizing the invasion reason of the complex disk and the deficiency in recovering the data/service, and improving the overall security capability according to the existing situation.
In this embodiment, domain name information and address information corresponding to the Trojan virus mail are determined first, then a preset virus blocking policy is determined according to the domain name information, the address information and the safety linkage equipment, and finally linkage treatment is performed on the Trojan virus mail through the safety linkage equipment based on the preset virus blocking policy.
Referring to fig. 5, fig. 5 is a block diagram showing the construction of a first embodiment of a Trojan virus-based mail handling apparatus according to the present invention.
As shown in fig. 5, a mail handling device based on Trojan horse virus according to an embodiment of the present invention includes:
the determining module 5001 is configured to determine, when the Trojan virus mail is not intercepted, target account information for receiving the Trojan virus mail.
It can be understood that the Trojan virus mail is a mail carrying Trojan virus, once the Trojan virus mail is opened by a user, the terminal is invaded by Trojan virus, and then the computer can be controlled at will to perform illegal operations such as file deletion, copying, password changing and the like.
The target account information of the Trojan virus mail is mailbox account information for receiving the Trojan virus mail, and the like.
Further, in order to accurately determine the Trojan virus mail, before the step of determining the target account information of the Trojan virus mail, the step of receiving the target account information of the Trojan virus mail is required to obtain mail alarm information through a safety detection device, then determining Trojan virus events according to the mail alarm information, then analyzing the Trojan virus events to obtain Trojan virus infection information, and determining the Trojan virus mail according to the Trojan virus infection information.
It should also be understood that the mail alarm information is virus alarm information generated by the security device, where the virus alarm information includes discovery of delivery of Trojan virus event or discovery of delivery of other virus event.
In a specific implementation, when a Trojan virus event is found to be delivered, the Trojan virus event needs to be analyzed to obtain Trojan virus infection information, wherein the Trojan virus infection information comprises Trojan virus specific delivery modes, such as link delivery or mail delivery, and then Trojan virus mail or Trojan virus link and the like can be determined according to the Trojan virus infection information.
In this embodiment, a delivery virus Trojan mail event is discovered through an alarm generated by the security device. The method comprises the steps of sending a Trojan virus event to a mail gateway, wherein the mail gateway can intercept Trojan virus mails to obtain mail interception information, judging whether the mail interception information meets preset interception conditions, judging that the Trojan virus mails are not intercepted when the mail interception information does not meet the preset interception conditions, generating interception alarm information according to the mail interception information when the mail interception information meets the preset interception conditions, and sending the interception alarm information to a corresponding target management terminal.
It should be understood that the preset interception condition is that the Trojan virus mail is intercepted, and the mail interception information includes mail intercepted information, mail non-intercepted information, and the like. The target management terminal may be a terminal managed by a responsible person responsible for Trojan horse virus, or may be an associated terminal corresponding to target account information.
In a specific implementation, when the Trojan virus mail is not intercepted by the mail gateway, mail handling information of the Trojan virus mail is needed, whether the mail handling information meets preset mail receiving conditions is judged, when the mail handling information does not meet the preset mail receiving conditions, delivery account information of the Trojan virus mail is determined, the delivery account information is added to a mail blacklist, so that mail interception equipment intercepts the mail sent by the delivery account information according to the mail blacklist, and when the mail handling information meets the preset mail receiving conditions, target account information for receiving the Trojan virus mail is determined.
It should be noted that the mail handling information may be status information of the current Trojan virus mail, such as a mail receiving status or a mail non-receiving status. The preset mail receiving condition is that the user has received Trojan horse virus mail, etc.
In this embodiment, through the alarm generated by the security device, the event of delivering the virus Trojan horse mail is found, whether the mail gateway intercepts is firstly determined, if the mail gateway intercepts, no processing is needed, otherwise, a relevant mailbox account is determined according to the alarm, then, a relevant virus Trojan horse mail is determined according to the alarm information, whether the user accepts the mail is determined, if not, the user is confirmed to be not damaged, and the user is notified to be unopened, etc. If the user is accepted, inquiring whether the user is opened, if the user is not opened, informing the user that the user is not opened, and if the user is opened, entering a host processing flow, wherein the host processing flow comprises isolating a host and informing a technician to perform the processing of getting on the machine, deleting mails, clearing Trojan horse, recovering business and the like.
And an acquisition module 5002, configured to acquire virus characteristic information of the Trojan horse virus mail according to the target account information.
Further, in order to accurately obtain virus characteristic information, the processing manner of obtaining virus characteristic information of the Trojan virus mail according to the target account information may be to extract virus sample information from the Trojan virus mail according to the target account information, and then analyze the virus sample information to obtain virus characteristic information of the Trojan virus mail.
It should also be appreciated that the virus sample information may be part of Trojan virus information in Trojan virus mail, and the virus characteristic information may be information related to Trojan virus, such as Trojan virus toxicity information, related domain name or IP address, etc.
In a specific implementation, the step of analyzing the virus sample information to obtain virus characteristic information of the Trojan virus mail may be to obtain login terminal information corresponding to the target account information, and then determine a security detection device according to the login terminal information, and analyze the virus sample information through the security detection device to obtain the virus characteristic information of the Trojan virus mail.
The login terminal information is the terminal device which is logged in when the Trojan virus mail is currently received, and the security detection device is the security device which exists in the currently logged-in terminal device, such as an intrusion detection system or a sandbox device.
In this embodiment, virus sample information may be obtained by the intrusion detection system, and then the virus sample information is analyzed by the linked sandbox to obtain virus characteristic information, where the virus characteristic information includes Trojan horse virus information, related domain name or IP address, and the like.
The determining module 5001 is further configured to determine a safety linkage device according to the virus characteristic information.
Further, in order to improve the processing efficiency of the Trojan virus mail, the processing mode of determining the safety linkage equipment according to the virus characteristic information may be to analyze the virus characteristic information to obtain Trojan virus information, judge whether the Trojan virus information meets the preset virus condition, determine the Trojan virus grade according to the Trojan virus information when the Trojan virus information meets the preset virus condition, and then determine the safety linkage equipment according to the Trojan virus grade.
It should also be understood that the preset virus condition is that the Trojan virus mail is a toxic mail, the Trojan virus information includes Trojan virus toxic information, trojan virus non-toxic information and the like, and the safety linkage equipment can be safety equipment such as a firewall and the like.
In the specific implementation, if the Trojan virus mail is nontoxic, the process is finished, and if the Trojan virus mail is toxic, the safety linkage equipment can be a firewall or the like.
And the processing module 5003 is used for carrying out linkage processing on the Trojan virus mail through the safety linkage equipment.
Further, in order to improve the treatment efficiency of the Trojan virus mail, the treatment mode of carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment can be to determine domain name information and address information corresponding to the Trojan virus mail, then a preset virus blocking strategy is determined according to the domain name information, the address information and the safety linkage equipment, and linkage treatment is carried out on the Trojan virus mail through the safety linkage equipment based on the preset virus blocking strategy.
It should be further noted that the preset virus blocking policy may be set for user definition, for example, the linkage firewall blocks related domain names and IPs.
In this embodiment, the Trojan virus mail is subjected to linkage treatment through the safety linkage equipment based on a preset virus blocking policy, a Trojan virus log is generated according to the linkage treatment result of the Trojan virus mail, the collapse information of the terminal host is determined according to the Trojan virus log, the preset host treatment policy is determined according to the collapse information of the terminal host, and the terminal host is isolated according to the preset host treatment policy.
In the specific implementation, whether the host is lost or not is analyzed according to the linkage treatment result of the Trojan virus mail and the combination of the flow, the alarm and the terminal EDR log, the strategy for analyzing the host lost can be that communication flow of a communication domain name or IP in the flow and the sandbox analysis result is generated, the terminal EDR generates other abnormal safe operation alarms, the action is consistent with the sandbox virus analysis result and the like. And then determining a preset host disposal strategy according to the analysis host collapse result, wherein the preset host disposal strategy can be an isolated host, and notifying a technician to perform on-line processing, mail deletion, trojan horse clarification, service restoration and the like. And finally, disposing the terminal host according to a preset host disposing strategy, summarizing the invasion reason of the complex disk and the deficiency in recovering the data/service, and improving the overall security capability according to the existing situation.
In this embodiment, when the Trojan virus mail is not intercepted, the target account information of the Trojan virus mail is determined, then the virus characteristic information of the Trojan virus mail is obtained according to the target account information, the safety linkage equipment is determined according to the virus characteristic information, and then the Trojan virus mail is treated in a linkage way through the safety linkage equipment. Compared with the prior art that the Trojan virus mail needs to be detected manually, the Trojan virus mail is treated manually, and in the embodiment, when the Trojan virus mail is detected, the safety linkage equipment is determined according to the virus characteristic information corresponding to the Trojan virus mail, and then the Trojan virus mail is treated in a linkage way through the safety linkage equipment, so that the treatment efficiency of the Trojan virus mail is improved.
Further, the Trojan virus-based mail handling device further comprises a judging module;
The judging module is used for acquiring mail handling information of the Trojan horse virus mail;
the judging module is further used for judging whether the mail handling information meets preset mail receiving conditions or not;
The judging module is further configured to execute the operation of determining to receive the target account information of the Trojan horse virus mail when the mail handling information meets the preset mail receiving condition.
Further, the obtaining module 5002 is further configured to extract virus sample information from the Trojan horse virus mail according to the target account information;
The obtaining module 5002 is further configured to analyze the virus sample information to obtain virus characteristic information of the Trojan horse virus mail.
Further, the determining module 5001 is further configured to analyze the virus characteristic information to obtain Trojan horse virus information;
the determining module 5001 is further configured to determine a safety linkage device according to the Trojan virus information.
Further, the processing module 5003 is further configured to determine domain name information and address information corresponding to the Trojan virus mail;
the processing module 5003 is further configured to determine a preset virus blocking policy according to the domain name information, the address information, and the security linkage device;
The processing module 5003 is further configured to perform linkage processing on the Trojan horse virus mail through the security linkage device based on the preset virus blocking policy.
Further, the processing module 5003 is further configured to generate a Trojan virus log according to a linked processing result of the Trojan virus mail;
The processing module 5003 is further configured to determine terminal host collapse information according to the Trojan horse virus log;
the handling module 5003 is further configured to determine a preset host handling policy according to the end host collapse information;
The handling module 5003 is further configured to perform isolation handling on the terminal host according to the preset host handling policy.
Other embodiments or specific implementation manners of the Trojan virus-based mail handling device of the present invention may refer to the above method embodiments, and will not be described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read-only memory/random-access memory, magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
The invention also discloses A1, a Trojan virus-based mail handling method, which comprises the following steps:
when the Trojan virus mail is not intercepted, determining target account information for receiving the Trojan virus mail;
Acquiring virus characteristic information of the Trojan horse virus mail according to the target account information;
determining safety linkage equipment according to the virus characteristic information;
And carrying out linkage treatment on the Trojan virus mail through the safety linkage equipment.
A2, the method of A1, before the step of determining to receive the target account information of the Trojan virus mail when the Trojan virus mail is not intercepted, further comprises:
mail alarm information is obtained through the safety detection equipment;
determining Trojan horse virus event according to the mail alarm information;
analyzing the Trojan horse virus event to obtain Trojan horse virus infection information;
And determining Trojan virus mails according to the Trojan virus infection information.
A3, the method of A2, after the step of determining Trojan virus mail according to the Trojan virus infection information, further comprises:
Intercepting the Trojan virus mail through mail gateway equipment to obtain mail interception information;
Judging whether the mail interception information meets a preset interception condition or not;
And when the mail interception information does not meet the preset interception condition, judging that the Trojan horse virus mail is not intercepted.
A4, after the step of determining whether the mail interception information meets the preset interception condition, the method as described in A3 further includes:
when the mail interception information meets the preset interception condition, generating interception alarm information according to the mail interception information;
and sending the interception alarm information to a corresponding target management terminal.
A5, the method of A1, before the step of determining the target account information for receiving the Trojan virus mail, further comprises:
Acquiring mail handling information of the Trojan horse virus mail;
judging whether the mail disposal information meets preset mail receiving conditions or not;
And executing the step of determining to receive the target account information of the Trojan horse virus mail when the mail handling information meets the preset mail receiving condition.
A6, after the step of determining whether the mail handling information meets the preset mail receiving condition, the method of A5 further includes:
When the mail handling information does not meet the preset mail receiving conditions, determining delivery account information of the Trojan horse virus mail;
and adding the delivery account information to a mail blacklist so that mail interception equipment intercepts mails sent by the delivery account information according to the mail blacklist.
A7, the method of A1, the step of obtaining the virus characteristic information of the Trojan horse virus mail according to the target account information, comprises the following steps:
extracting virus sample information from the Trojan horse virus mail according to the target account information;
and analyzing the virus sample information to obtain virus characteristic information of the Trojan horse virus mail.
A8, the method of A7, the step of analyzing the virus sample information to obtain the virus characteristic information of the Trojan horse virus mail, includes:
Acquiring login terminal information corresponding to the target account information;
Determining a security detection device according to the login terminal information;
And analyzing the virus sample information through the safety detection equipment to obtain the virus characteristic information of the Trojan horse virus mail.
A9, the method of any of A1-A8, the step of determining a safety linkage device based on the virus signature, comprising:
analyzing the virus characteristic information to obtain Trojan horse virus information;
And determining safety linkage equipment according to the Trojan horse virus information.
A10, the method of A9, the step of determining the safety linkage equipment according to the Trojan horse virus information, comprises the following steps:
Judging whether the Trojan horse virus information meets a preset virus condition or not;
When the Trojan horse virus information meets the preset virus conditions, determining Trojan horse virus grade according to the Trojan horse virus information;
and determining the safety linkage equipment according to the Trojan horse virus grade.
A11, the method of any of A1-A8, wherein the step of performing linkage treatment on the Trojan virus mail through the safety linkage device comprises the following steps:
determining domain name information and address information corresponding to the Trojan virus mail;
Determining a preset virus blocking strategy according to the domain name information, the address information and the safety linkage equipment;
and carrying out linkage treatment on the Trojan horse virus mail through the safety linkage equipment based on the preset virus blocking strategy.
A12, after the step of performing linkage treatment on the Trojan virus mail through the safety linkage equipment based on the preset virus blocking policy, the method of A11 further includes:
generating a Trojan virus log according to the linkage treatment result of the Trojan virus mail;
Determining the collapse information of the terminal host according to the Trojan virus log;
determining a preset host disposal strategy according to the terminal host collapse information;
And carrying out isolation treatment on the terminal host according to the preset host treatment strategy.
The invention also discloses a B13, a Trojan virus-based mail handling device, which comprises:
The determining module is used for determining target account information for receiving the Trojan virus mail when the Trojan virus mail is not intercepted;
The acquisition module is used for acquiring virus characteristic information of the Trojan horse virus mail according to the target account information;
the determining module is further used for determining safety linkage equipment according to the virus characteristic information;
And the disposal module is used for carrying out linkage disposal on the Trojan horse virus mail through the safety linkage equipment.
B14, the device of B13, the Trojan virus-based mail handling device further comprising a determination module;
The judging module is used for acquiring mail handling information of the Trojan horse virus mail;
the judging module is further used for judging whether the mail handling information meets preset mail receiving conditions or not;
The judging module is further configured to execute the operation of determining to receive the target account information of the Trojan horse virus mail when the mail handling information meets the preset mail receiving condition.
B15, the device of B13, the said acquisition module, is used for also extracting the virus sample information from said Trojan horse virus mail according to the said goal account information;
The acquisition module is also used for analyzing the virus sample information to obtain the virus characteristic information of the Trojan horse virus mail.
B16, the device of any one of B13-B15, the said determination module, is used for analyzing the said virus characteristic information, obtain the Trojan horse virus information;
the determining module is further used for determining the safety linkage equipment according to the Trojan horse virus information.
B17, the device of any one of B13-B15, the handling module is further configured to determine domain name information and address information corresponding to the Trojan virus mail;
The disposal module is further used for determining a preset virus blocking policy according to the domain name information, the address information and the safety linkage equipment;
the processing module is further configured to perform linkage processing on the Trojan horse virus mail through the security linkage device based on the preset virus blocking policy.
B18, the device of B17, the said treatment module, is used for also producing the Trojan virus log according to the linkage treatment result of the said Trojan virus mail;
the disposal module is further used for determining the collapse information of the terminal host according to the Trojan virus log;
the disposal module is further configured to determine a preset host disposal policy according to the terminal host collapse information;
and the disposal module is further used for carrying out isolation disposal on the terminal host according to the preset host disposal policy.
The invention also discloses C19, a Trojan virus-based mail handling device, which comprises a memory, a processor and a Trojan virus-based mail handling program stored on the memory and capable of running on the processor, wherein the Trojan virus-based mail handling program is configured with steps for realizing the Trojan virus-based mail handling method.
The invention also discloses D20, a storage medium, wherein the storage medium stores a Trojan virus-based mail handling program, and the Trojan virus-based mail handling program realizes the steps of the Trojan virus-based mail handling method when being executed by a processor.

Claims (10)

1.一种基于木马病毒的邮件处置方法,其特征在于,所述基于木马病毒的邮件处置方法包括以下步骤:1. A method for handling mails based on Trojan virus, characterized in that the method for handling mails based on Trojan virus comprises the following steps: 在木马病毒邮件未被拦截时,确定接收所述木马病毒邮件的目标账户信息;When the Trojan virus email is not intercepted, determining target account information for receiving the Trojan virus email; 根据所述目标账户信息获取所述木马病毒邮件的病毒特征信息;Obtain virus feature information of the Trojan virus email according to the target account information; 根据所述病毒特征信息确定安全联动设备;Determine a security linkage device according to the virus feature information; 通过所述安全联动设备对所述木马病毒邮件进行联动处置。The Trojan virus email is handled in a linked manner through the security linkage device. 2.如权利要求1所述的方法,其特征在于,所述确定接收所述木马病毒邮件的目标账户信息的步骤之前,还包括:2. The method according to claim 1, characterized in that before the step of determining the target account information for receiving the Trojan virus email, it also includes: 获取所述木马病毒邮件的邮件处置信息;Obtaining email handling information of the Trojan virus email; 判断所述邮件处置信息是否满足预设邮件接收条件;Determining whether the mail handling information meets the preset mail receiving conditions; 在所述邮件处置信息满足所述预设邮件接收条件时,执行所述确定接收所述木马病毒邮件的目标账户信息的步骤。When the email handling information meets the preset email receiving condition, the step of determining the target account information for receiving the Trojan virus email is performed. 3.如权利要求2所述的方法,其特征在于,所述判断所述邮件处置信息是否满足预设邮件接收条件的步骤之后,还包括:3. The method according to claim 2, characterized in that after the step of determining whether the mail disposition information meets the preset mail receiving condition, it further comprises: 在所述邮件处置信息不满足所述预设邮件接收条件时,确定所述木马病毒邮件的投递账号信息;When the mail handling information does not meet the preset mail receiving condition, determining the delivery account information of the Trojan virus mail; 将所述投递账号信息添加至邮件黑名单,以使邮件拦截设备根据所述邮件黑名单拦截所述投递账号信息发送的邮件。The delivery account information is added to an email blacklist, so that an email interception device intercepts emails sent by the delivery account information according to the email blacklist. 4.如权利要求1所述的方法,其特征在于,所述根据所述目标账户信息获取所述木马病毒邮件的病毒特征信息的步骤,包括:4. The method according to claim 1, wherein the step of obtaining virus feature information of the Trojan virus email according to the target account information comprises: 根据所述目标账户信息从所述木马病毒邮件中提取病毒样本信息;Extract virus sample information from the Trojan virus email according to the target account information; 对所述病毒样本信息进行分析,获得所述木马病毒邮件的病毒特征信息。The virus sample information is analyzed to obtain virus feature information of the Trojan virus email. 5.如权利要求1-4任一项所述的方法,其特征在于,所述根据所述病毒特征信息确定安全联动设备的步骤,包括:5. The method according to any one of claims 1 to 4, characterized in that the step of determining the security linkage device according to the virus feature information comprises: 对所述病毒特征信息进行分析,获得木马病毒信息;Analyze the virus feature information to obtain Trojan virus information; 根据所述木马病毒信息确定安全联动设备。Determine the security linkage device according to the Trojan virus information. 6.如权利要求5所述的方法,其特征在于,所述根据所述木马病毒信息确定安全联动设备的步骤,包括:6. The method according to claim 5, characterized in that the step of determining the security linkage device according to the Trojan virus information comprises: 判断所述木马病毒信息是否满足预设病毒条件;Determine whether the Trojan virus information meets the preset virus condition; 在所述木马病毒信息满足所述预设病毒条件时,根据所述木马病毒信息确定木马病毒等级;When the Trojan virus information meets the preset virus condition, determining the Trojan virus level according to the Trojan virus information; 根据所述木马病毒等级确定安全联动设备。The security linkage device is determined according to the Trojan virus level. 7.如权利要求1-4任一项所述的方法,其特征在于,所述通过所述安全联动设备对所述木马病毒邮件进行联动处置的步骤,包括:7. The method according to any one of claims 1 to 4, characterized in that the step of performing linkage treatment on the Trojan virus email through the security linkage device comprises: 确定所述木马病毒邮件对应的域名信息和地址信息;Determine the domain name information and address information corresponding to the Trojan virus email; 根据所述域名信息、所述地址信息及所述安全联动设备确定预设病毒封禁策略;Determine a preset virus blocking strategy according to the domain name information, the address information and the security linkage device; 基于所述预设病毒封禁策略通过所述安全联动设备对所述木马病毒邮件进行联动处置。Based on the preset virus blocking strategy, the Trojan virus email is linked and handled through the security linkage device. 8.一种基于木马病毒的邮件处置装置,其特征在于,所述基于木马病毒的邮件处置装置包括:8. A mail processing device based on a Trojan virus, characterized in that the mail processing device based on a Trojan virus comprises: 确定模块,用于在木马病毒邮件未被拦截时,确定接收所述木马病毒邮件的目标账户信息;A determination module, used for determining target account information for receiving the Trojan virus email when the Trojan virus email is not intercepted; 获取模块,用于根据所述目标账户信息获取所述木马病毒邮件的病毒特征信息;An acquisition module, used to acquire virus feature information of the Trojan virus email according to the target account information; 所述确定模块,还用于根据所述病毒特征信息确定安全联动设备;The determination module is further used to determine a security linkage device according to the virus feature information; 处置模块,用于通过所述安全联动设备对所述木马病毒邮件进行联动处置。The processing module is used to perform linkage processing on the Trojan virus email through the security linkage device. 9.一种基于木马病毒的邮件处置设备,其特征在于,所述基于木马病毒的邮件处置设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的基于木马病毒的邮件处置程序,所述基于木马病毒的邮件处置程序配置有实现如权利要求1至7中任一项所述的基于木马病毒的邮件处置方法的步骤。9. A Trojan virus-based email processing device, characterized in that the Trojan virus-based email processing device comprises: a memory, a processor, and a Trojan virus-based email processing program stored in the memory and executable on the processor, the Trojan virus-based email processing program being configured with steps for implementing the Trojan virus-based email processing method as described in any one of claims 1 to 7. 10.一种存储介质,其特征在于,所述存储介质上存储有基于木马病毒的邮件处置程序,所述基于木马病毒的邮件处置程序被处理器执行时实现如权利要求1至7中任一项所述的基于木马病毒的邮件处置方法的步骤。10. A storage medium, characterized in that a Trojan virus-based mail processing program is stored on the storage medium, and when the Trojan virus-based mail processing program is executed by a processor, the steps of the Trojan virus-based mail processing method according to any one of claims 1 to 7 are implemented.
CN202310791195.5A 2023-06-29 2023-06-29 Mail processing method, device, equipment and storage medium based on Trojan virus Pending CN119232406A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310791195.5A CN119232406A (en) 2023-06-29 2023-06-29 Mail processing method, device, equipment and storage medium based on Trojan virus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310791195.5A CN119232406A (en) 2023-06-29 2023-06-29 Mail processing method, device, equipment and storage medium based on Trojan virus

Publications (1)

Publication Number Publication Date
CN119232406A true CN119232406A (en) 2024-12-31

Family

ID=93945713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310791195.5A Pending CN119232406A (en) 2023-06-29 2023-06-29 Mail processing method, device, equipment and storage medium based on Trojan virus

Country Status (1)

Country Link
CN (1) CN119232406A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020147780A1 (en) * 2001-04-09 2002-10-10 Liu James Y. Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
CN101546367A (en) * 2009-05-04 2009-09-30 电子科技大学 Method for comprehensive detection of network trojans with warning function and functional module architecture device
CN101552779A (en) * 2009-05-04 2009-10-07 电子科技大学 Composite inspecting method and functional module configuring device of Trojan Horse
CN103118036A (en) * 2013-03-07 2013-05-22 上海电机学院 Cloud end based intelligent security protection system and method
CN108600252A (en) * 2018-04-28 2018-09-28 丙申南京网络技术有限公司 A kind of Network anti-virus system
CN113132305A (en) * 2019-12-31 2021-07-16 苏州三六零智能安全科技有限公司 Mail threat detection method, device, computing equipment and computer storage medium
CN115208699A (en) * 2022-09-15 2022-10-18 南京怡晟安全技术研究院有限公司 Safety arrangement and automatic response method
CN115695031A (en) * 2022-11-07 2023-02-03 北京安博通科技股份有限公司 Host computer sink-loss detection method, device and equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020147780A1 (en) * 2001-04-09 2002-10-10 Liu James Y. Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
CN101546367A (en) * 2009-05-04 2009-09-30 电子科技大学 Method for comprehensive detection of network trojans with warning function and functional module architecture device
CN101552779A (en) * 2009-05-04 2009-10-07 电子科技大学 Composite inspecting method and functional module configuring device of Trojan Horse
CN103118036A (en) * 2013-03-07 2013-05-22 上海电机学院 Cloud end based intelligent security protection system and method
CN108600252A (en) * 2018-04-28 2018-09-28 丙申南京网络技术有限公司 A kind of Network anti-virus system
CN113132305A (en) * 2019-12-31 2021-07-16 苏州三六零智能安全科技有限公司 Mail threat detection method, device, computing equipment and computer storage medium
CN115208699A (en) * 2022-09-15 2022-10-18 南京怡晟安全技术研究院有限公司 Safety arrangement and automatic response method
CN115695031A (en) * 2022-11-07 2023-02-03 北京安博通科技股份有限公司 Host computer sink-loss detection method, device and equipment

Similar Documents

Publication Publication Date Title
US9544322B2 (en) Systems, methods, and media protecting a digital data processing device from attack
EP3737067B1 (en) Systems and methods for automated intrusion detection
Souppaya et al. Guide to malware incident prevention and handling for desktops and laptops
US10057284B2 (en) Security threat detection
Mell et al. Guide to malware incident prevention and handling
US7007302B1 (en) Efficient management and blocking of malicious code and hacking attempts in a network environment
US6892241B2 (en) Anti-virus policy enforcement system and method
US8832829B2 (en) Network-based binary file extraction and analysis for malware detection
US9106694B2 (en) Electronic message analysis for malware detection
US8326936B2 (en) Apparatus and method for analyzing and filtering email and for providing web related services
US8316446B1 (en) Methods and apparatus for blocking unwanted software downloads
CN106650436B (en) A security detection method and device based on local area network
US20180114018A1 (en) Malware detection and classification based on memory semantic analysis
US7631353B2 (en) Blocking replication of e-mail worms
US9628513B2 (en) Electronic message manager system, method, and computer program product for scanning an electronic message for unwanted content and associated unwanted sites
CN112688930A (en) Brute force cracking detection method, system, equipment and medium
CN119232406A (en) Mail processing method, device, equipment and storage medium based on Trojan virus
CN109257389B (en) Attack processing method and device and electronic equipment
CN113132305A (en) Mail threat detection method, device, computing equipment and computer storage medium
CN113965349B (en) Network safety protection system and method with safety detection function
CN106657102A (en) LAN based threat processing method and device
CN119316162A (en) Mailbox blasting processing method, device, equipment and storage medium
CN119316160A (en) Port vulnerability scanning event processing method, device, equipment and storage medium
CN120834933A (en) Network security alarm analysis and judgment methods, devices, equipment, media and program products
CN104067284B (en) Prevent the execution of task scheduling Malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination