DETECTING MALICIOUS FILES
First Claim
1. A method, comprising:
- receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file;
sending the file checking task to a detection device, wherein the file checking task causes the detection device to;
use the storage address to acquire the candidate file from a file server;
execute the candidate file based at least in part on the basic information associated with the candidate file;
monitor the execution of the candidate file; and
generate a monitored action record corresponding to the execution of the candidate file;
receiving the monitored action record from the detection device;
determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and
determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting malicious files is disclosed, including: receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to: use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; and receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
28 Citations
20 Claims
-
1. A method, comprising:
-
receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to; use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving a file checking task, wherein the file checking task comprises at least a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to; use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
receiving a file checking task from a file checking device, wherein the file checking task comprises at least a storage address of a candidate file and basic information associated with executing the candidate file; obtaining the candidate file using the storage address associated with the candidate file; executing the candidate file based at least in part on the basic information associated with executing the candidate file; generating a monitored action record based at least in part on monitoring the execution of the candidate file; and sending the candidate file to the file checking device, wherein receipt of the candidate file causes the file checking device to; determine a determined set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determine whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification