Detecting malicious files
First Claim
1. A method, comprising:
- receiving a candidate file from a client;
obtaining a basic information associated with the candidate file through analyzing the candidate file;
encrypting the candidate file;
storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server;
receiving a file checking task, wherein the file checking task comprises a storage address of the candidate file and the basic information associated with executing the candidate file;
sending the file checking task to a detection device, wherein the file checking task causes the detection device to;
use the storage address to acquire the candidate file from the file server;
execute the candidate file based at least in part on the basic information associated with the candidate file;
monitor the execution of the candidate file; and
generate a monitored action record corresponding to the execution of the candidate file;
receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;
a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;
determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and
determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting malicious files is disclosed, including: receiving a file checking task, wherein the file checking task comprises a storage address of a candidate file and basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to: use the storage address to acquire the candidate file from a file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; and receiving the monitored action record from the detection device; determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions.
27 Citations
15 Claims
-
1. A method, comprising:
-
receiving a candidate file from a client; obtaining a basic information associated with the candidate file through analyzing the candidate file; encrypting the candidate file; storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server; receiving a file checking task, wherein the file checking task comprises a storage address of the candidate file and the basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to; use the storage address to acquire the candidate file from the file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;
a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving a candidate file from a client; obtaining a basic information associated with the candidate file through analyzing the candidate file; encrypting the candidate file; storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server; receiving a file checking task, wherein the file checking task comprises at least a storage address of the candidate file and the basic information associated with executing the candidate file; sending the file checking task to a detection device, wherein the file checking task causes the detection device to; use the storage address to acquire the candidate file from the file server; execute the candidate file based at least in part on the basic information associated with the candidate file; monitor the execution of the candidate file; and generate a monitored action record corresponding to the execution of the candidate file; receiving the monitored action record from the detection device, wherein the monitored action record comprises an action associated with one or more of the following;
a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function;determining a set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determining whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method, comprising:
-
receiving a candidate file from a client; obtaining a basic information associated with the candidate file through analyzing the candidate file; encrypting the candidate file; storing the basic information associated with the candidate file to a database and storing the encrypted candidate file to a file server; receiving a file checking task from a file checking device, wherein the file checking task comprises at least a storage address of the candidate file and the basic information associated with executing the candidate file; obtaining the candidate file using the storage address associated with the candidate file; executing the candidate file based at least in part on the basic information associated with executing the candidate file; generating a monitored action record based at least in part on monitoring the execution of the candidate file, wherein the monitored action record comprises an action associated with one or more of the following;
a file creation function, a file deletion function, an information changing function, a registration table creation function, and a registration table value setting function; andsending the candidate file to the file checking device, wherein receipt of the candidate file causes the file checking device to; determine a determined set of actions included in the monitored action record that matches one or more action types included in a preset malicious action set; and determine whether the candidate file is a malicious file based at least in part on the determined set of actions. - View Dependent Claims (12, 13, 14, 15)
-
Specification