Scanning device, cloud management device, method and system for checking and killing malicious programs

US 20150317479A1
Filed: 11/29/2013
Published: 11/05/2015
Est. Priority Date: 11/30/2012
Status: Active Grant

First Claim

Patent Images

1. A scanning device for checking and killing a malicious program comprising:

a first transmission interface configured to transmit information to a server-side device and receive information transmitted by the server-side device;

an environment information reader configured to read current system environment information of a client device and transmit it to the server-side device via the first transmission interface;

a first scanner configured to obtain via the first transmission interface a first scanning content indication judged by the server-side device at least based on the system environment information, scan a specified position in the first scanning content indication, and at least transmit feature data of an unknown program file obtained by scanning to the server-side device via the first transmission interface; and

a second scanner configured to obtain via the first transmission interface a second scanning content indication transmitted by the server-side device, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and scan according to the second scanning content indication.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention discloses a scanning device, a cloud management device, a method and system for checking and killing a malicious program. Therein, a cloud management device for checking and killing a malicious program comprises: a second transmission interface; a first indicator configured to generate a first scanning content indication according to characteristics of a newborn malicious program and system environment information transmitted by a client device; a first matcher configured to obtain via the second transmission interface feature data of the unknown program file transmitted by the client device, and hereby perform matching in known records of feature data of malicious programs; and a second indicator configured to generate a second scanning content indication when the first matcher fails to match to a known record, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and transmit the same to the client device through the second transmission interface.

Citations

22 Claims

1. A scanning device for checking and killing a malicious program comprising:
- a first transmission interface configured to transmit information to a server-side device and receive information transmitted by the server-side device;
  
  an environment information reader configured to read current system environment information of a client device and transmit it to the server-side device via the first transmission interface;
  
  a first scanner configured to obtain via the first transmission interface a first scanning content indication judged by the server-side device at least based on the system environment information, scan a specified position in the first scanning content indication, and at least transmit feature data of an unknown program file obtained by scanning to the server-side device via the first transmission interface; and
  
  a second scanner configured to obtain via the first transmission interface a second scanning content indication transmitted by the server-side device, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and scan according to the second scanning content indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The scanning device as claimed in claim 1, wherein the second scanner is further configured to transmit via the first transmission interface the scanning result after scanning according to the second scanning content indication to the server-side device;
    - andthe scanning device further comprises;
      
      a first fixer configured to obtain via the first transmission interface a fixing logic determined by the server-side device based on the scanning result provided by the second scanner, and perform a fixing processing for the unknown program file according to the fixing logic.
  - 3. The scanning device as claimed in claim 1, further comprising:
    - a second fixer configured to obtain via the first transmission interface a fixing logic from the server-side device related to the second scanning content indication and transmitted together with the second scanning content indication, and perform a fixing processing for the unknown program file when the scanning result of the second scanner meets the fixing logic.
  - 4. The scanning device as claimed in claim 2, wherein the fixing processing comprises one or more of the following processing ways:
    - deleting a specified registry key and/or key value, modifying a registry key and/or key value as specified content, deleting a specified system service item, and fixing/deleting a specified program file.
  - 5. The scanning device as claimed in claim 1, wherein the system environment information comprises one or more of the following:
    - the version information of an operating system, system patch installation information, software installation information, driver installation information, information on a process and service running in the system.
  - 6. The scanning device as claimed in claim 1, whereinthe feature data of the program file comprises one or more of the following:
    - the data obtained employing a specific algorithm for all or part of the key content of the unknown program file and the file name; and
      
      the specified attribute of the unknown program file comprises one or more of the following;
      
      feature data, file size, security level, signature information and version information.
  - 7. The scanning device as claimed in claim 1, wherein the attribute of the contextual environment of the unknown program file comprises one or more of the following:
    - information on a directory where the unknown program file is located, information on a startup position in a registry, attribute information of other file under the same directory as the program file or a specified directory, and the running state of a specified process.

8. A cloud management device for checking and killing a malicious program comprising:
- a second transmission interface configured to transmit information to a client device and receive information transmitted by the client device;
  
  a first indicator configured to generate a first scanning content indication according to characteristics of a newborn malicious program and system environment information transmitted by the client device, the first scanning content indication at least comprising scanning content at a specified position and notifying scanned feature data of an unknown program file, and transmit the first scanning content indication to the client device via the second transmission interface;
  
  a first matcher configured to obtain via the second transmission interface feature data of the unknown program file transmitted by the client device, and hereby perform matching in known records of feature data of malicious programs; and
  
  a second indicator configured to generate a second scanning content indication when the first matcher fails to match to a known record, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and transmit the second scanning content indication to the client device via the second transmission interface.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The cloud management device as claimed in claim 8, whereinthe second indicator is further configured to obtain via the second transmission interface the scanning result obtained by the client device after scanning according to the second scanning content indication, judge hereby whether the unknown program file is a malicious program and transmit the judgment result to the client device via the second transmission interface;
    - orthe second indicator is further configured to transmit a judgment logic related to the second scanning content indication together to the client device via the second transmission interface, wherein the judgment logic is a logic for judging whether the unknown program file is a malicious program.
  - 10. The cloud management device as claimed in claim 9, whereinthe second indicator is further configured to perform matching in a known database for checking and killing malicious programs according to the scanning result obtained by the client device after scanning according to the second scanning content indication, and if a fixing logic matching the scanning result is found, transmit it to the client device via the second transmission interface;
    - or,the second indicator is further configured to perform matching in a known database for checking and killing malicious programs according to the second scanning content indication, and transmit a matched fixing logic related to the second scanning content indication together with the second scanning content indication to the client device via the second transmission interface.
  - 11. The cloud management device as claimed in claim 8, wherein the characteristics of a newborn malicious program comprise:
    - feature information in which the newborn malicious program utilizes a specific position to hide and/or attack.
  - 12. The cloud management device as claimed in claim 8, wherein the first scanning content indication is an indication with a condition attached, and the condition comprises one or more of the following:
    - whether a specified file exists, whether a specified directory exists, whether an attribute of a program file meets a specified condition, whether a specified registry key exists, whether a specified registry key value exists, whether content of a registry key meets a specified condition, whether content of a registry key value meets a specified condition, whether a specified process exists, and whether a specified service exists.
  - 13. The cloud management device as claimed in claim 8, wherein the fixing logic comprises one or more of the following logics:
    - deleting a specified registry key and/or key value, modifying a registry key and/or key value as specified content, deleting a specified system service item, and fixing/deleting a specified program file.
  - 14. The cloud management device as claimed in claim 8, whereinthe feature data of the unknown program file comprises one or more of the following:
    - the data obtained employing a specific algorithm for all or part of the key content of the unknown program file and the file name; and
      
      the specified attribute of the unknown program file comprises one or more of the following;
      
      feature data, file size, signature information and version information.
  - 15. The cloud management device as claimed in claim 8, wherein the attribute of the contextual environment of the unknown program file comprises one or more of the following:
    - information on a directory where the unknown program file is located, security level information, information on a startup position in a registry, attribute information of other file under the same directory as the program file or a specified directory, and the running state of a specified process.

16. (canceled)

17. A scanning method for checking and killing a malicious program comprising:
- reading current system environment information of a client device, and transmitting it to a server-side device;
  
  obtaining a first scanning content indication judged by the server-side device based on the system environment information, scanning a specified position in the first scanning content indication, and transmitting at least feature data of an unknown program file obtained by scanning to the server-side device; and
  
  obtaining a second scanning content indication transmitted by the server-side device, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and scanning according to the second scanning content indication.
- View Dependent Claims (18)
- - 18. The scanning method as claimed in claim 17, further comprising:
    - transmitting the scanning result after scanning according to the second scanning content indication to the server-side device;
      
      obtaining the judgment result of whether the unknown program file is a malicious program determined by the server-side device based on the scanning result, and performing a corresponding processing according to the judgment result;
      
      orobtaining a judgment logic related to the second scanning content indication notified by the server-side device, determining whether the unknown program file is a malicious program according to the scanning result after scanning according to the second scanning content indication and the judgment logic, and performing a corresponding processing.

19. (canceled)

20. (canceled)

21. (canceled)

22. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.), Qizhi Software (Beijing) Company Limited (360 Security Technology, Inc.)
Inventors
Zhang, Bo, Yao, Tong, Jiang, Aijun, Liu, Zhifeng, Kong, Qinglong

Granted Patent

US 9,830,452 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/033   Test or assess software

H04L 63/145   the attack involving the pr...

Scanning device, cloud management device, method and system for checking and killing malicious programs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Scanning device, cloud management device, method and system for checking and killing malicious programs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links