CN103136477B - The scan method of paper sample and system - Google Patents

Abstract

The invention discloses a method and system for scanning file samples. The method includes: for gray file samples in file samples, selecting gray file samples to be scanned from stored gray file samples according to a preset strategy; The update record of the authenticator and/or the scan record of the authenticator select an authenticator for scanning the gray file sample; scan the gray file sample to be scanned using the selected authenticator, and store the scanning result for when the query file sample is received When requesting whether it is safe or not, the scan result is returned; the gray file sample is a file sample with unknown security. The present invention can save the resource of scanning equipment, accelerate scanning efficiency and improve scanning speed.

Description

Method and system for scanning document samples

technical field

The invention relates to the field of computer network security, in particular to a method and system for scanning file samples.

Background technique

In the field of network security, it is usually necessary to scan and kill virus files. Virus file is an umbrella term for any application file that is intentionally created to perform unauthorized and often harmful actions. For example, including: computer viruses, backdoor programs, keyloggers, password stealers, Word and Excel macro viruses, boot sector viruses, script viruses, Trojan horses, etc.

In the prior art, the method adopted for scanning and killing virus files mainly depends on the signature database mode. The signature library is composed of signature codes of virus file samples collected by the manufacturer, and the signature code is the difference between the virus file and the legitimate file that the analysis engineer finds, and intercepts a piece of file code similar to "keyword". The code is a feature code. During the killing process, the engine will read the file and match it with all the signatures in the signature library. If the file code is found to be hit, it can be determined that the file is a virus file.

However, with the increase in the number of virus files, the current number of virus files is increasing geometrically. Based on this explosive growth rate, the generation and update of the signature database often lag behind. In many cases, the independent anti-virus engine of the terminal cannot detect and kill unknown virus files.

Therefore, active defense methods have been produced in the prior art. In the active defense method, based on independent analysis and judgment of file behavior, real-time scanning and killing is carried out. Instead of using signature codes as the basis for judging virus files, starting from the original definition of files, file behavior is directly used as the basis for judging virus files. Among them, the behavior of using signature database locally, setting behavior thresholds locally, and local heuristic antivirus methods to identify and intercept virus files is derived, so as to achieve the purpose of protecting terminals to a certain extent.

However, the above-mentioned local active defense method also has problems to be solved. First of all, local active defense is easy to prevent virus files from killing. For example, by packing virus files, you can avoid the signature database anti-kill mode of local active defense; by targeting virus behaviors, reducing or replacing related behaviors performed by virus files, Thereby avoiding triggering the activation upper limit of the behavior threshold anti-killing mode. In addition, the local active defense also needs to rely on the timely update of the local database. If the database is not updated in time, virus files will not be found.

Based on the above problems, there is also a cloud-based active defense method in the prior art, which does not depend on the local database, and the analysis and comparison operation of the active defense is completed on the server side.

However, for the active defense method of cloud security, the file samples to be checked and killed usually involve hundreds of millions of levels. Because each identifier that scans and kills file samples will have a signature library set by a dedicated analyst, the file samples that have been checked and killed may be missed or falsely reported. The signature library is constantly being upgraded, so file samples Doing a repeat scan can make up for previous false negatives and fix previous false positives. If all file samples are scanned each time a scan is performed, a large amount of resources on the server side will be consumed.

Contents of the invention

In view of the above problems, the present invention proposes a method and system for scanning file samples, so as to overcome the problem of consuming too many resources when scanning files.

According to one aspect of the present invention, a scanning method of a document sample is provided, the method comprising:

For the gray file samples in the file samples, the gray file samples to be scanned are selected from the stored gray file samples according to a preset strategy;

Selecting an authenticator for scanning the gray file sample according to the update record of each authenticator and/or the scanning record of the authenticator;

Use the selected identifier to scan the gray file sample to be scanned, and store the scanning result, so that when a request is received to inquire whether the file sample is safe, the scanning result is returned;

The gray file samples are file samples with unknown security.

Wherein, the selection of the gray file samples to be scanned from the stored gray file samples according to the preset strategy specifically includes:

The false negative rate of the gray file sample is obtained according to the attributes of the gray file sample, and the gray file sample to be scanned is selected from the stored gray file samples according to the false negative rate.

Wherein, the method also includes:

For a dangerous file sample in the file sample, determine an identifier that reports the dangerous file sample as a virus file, and the dangerous file sample is a file sample that is reported as a virus file by the identifier;

Use the identifier that reports the dangerous file sample as a virus file to re-scan the dangerous file sample, and if the scanning result shows that the dangerous file sample is no longer a virus file, then determine that the dangerous file sample is a file sample that has been falsely reported as a virus file, and the Dangerous file samples are removed from false positives.

Wherein, after determining the identifier that reports the dangerous file sample as a virus file, it also includes:

According to the identified identifiers, the false alarm rate of the dangerous file sample is obtained, and the corresponding relationship between the number of identifiers and the false alarm rate is established;

Select the dangerous file samples to be scanned from the stored dangerous file samples according to the false positive rate;

The re-scanning of the dangerous file sample using the identifier that reports the dangerous file sample as a virus file specifically includes:

For each dangerous file sample to be scanned, the dangerous file sample is rescanned using an identifier that reported the dangerous file sample as a virus file.

Wherein, the method also includes:

When receiving a request to inquire whether a file sample is safe, record the received request in a log;

According to the records in the log, the file samples whose query times are greater than the preset popularity threshold within the preset time are extracted, and the extracted file samples are active file samples.

Wherein, the underreporting rate of the gray file sample obtained according to the attributes of the gray file sample specifically includes:

Extract the gray file sample from the active file sample, and obtain the false negative rate of the gray file sample according to the attributes of the extracted gray file sample;

The gray file samples to be scanned are selected from the stored gray file samples according to the false negative rate and specifically include:

From the extracted gray file samples, a gray file sample with a false negative rate greater than a preset false negative rate threshold is selected, and the selected gray file sample is used as a gray file sample to be scanned.

Wherein, the identifier for determining to report a dangerous file sample as a virus file specifically includes:

Extracting dangerous file samples from active file samples, and determining that the extracted dangerous file samples are an identifier for virus files;

The selection of the dangerous file samples to be scanned from the stored dangerous file samples according to the false alarm rate specifically includes:

A dangerous file sample with a false positive rate greater than a preset false positive rate threshold is selected from the extracted dangerous file samples, and the selected dangerous file sample is used as a dangerous file sample to be scanned.

Wherein, the underreporting rate of the gray file sample obtained according to the attributes of the gray file sample specifically includes:

According to the statistics of the characteristics of the virus file and the attributes of the gray file sample, the probability that the gray file sample may be a virus file is calculated, and this probability is used as a parameter for calculating the false negative rate of the gray file sample .

Wherein, according to the statistical results obtained by performing statistics on the characteristics of virus files, and the attributes of gray file samples, calculating the probability that the gray file samples may be virus files specifically includes:

Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the size of the virus file and the size of the gray file sample;

and / or,

Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the path of the virus file and the path of the gray file sample;

and / or,

According to the list of dangerous operation behaviors obtained by counting the operation behaviors of virus files and the operation behaviors of gray file samples, the probability that the gray file samples may be virus files is calculated.

Wherein, the said identifier selected for scanning the gray file sample according to the scanning records of each identifier specifically includes:

For each identifier and each gray file sample to be scanned, calculate the scanning interval of the gray file sample corresponding to the identifier according to the number of times the identifier scans the gray file sample;

Select the identifier used to scan gray file samples based on the scan interval.

Wherein, the selection of the identifier for scanning the gray file sample according to the update record of each identifier specifically includes:

Selects from each authenticator the one that has been updated since the last scan based on the update record.

Wherein, before the false negative rate of the gray file sample is obtained according to the attribute of the gray file sample, it also includes:

Determine whether the first discovery time of the gray file sample is earlier than the preset time threshold, if yes, detect that the false negative rate of the gray file sample is 0, if not, then perform the gray file sample according to the attributes of the gray file sample to obtain gray The operation of the false negative rate of the file sample.

According to another aspect of the present invention, the present invention discloses a system for scanning file samples, said system comprising: a sample storage device, an anti-virus engine, a scan scheduling device, and a sample scanning device including multiple identifiers;

The sample storage device is suitable for storing document samples;

The scanning scheduling device is adapted to select the gray file samples to be scanned from the gray file samples stored in the sample storage device according to a preset strategy for the gray file samples in the file samples, and select the gray file samples to be scanned according to the update records of each identifier and/or the authenticator's scan records to select the authenticator used to scan the gray file sample;

The sample scanning device is adapted to acquire gray file samples to be scanned from the sample storage device, use the identifier selected by the scan scheduling device to scan the obtained gray file samples to be scanned, and store the scanning results in the scanning engine;

The killing engine is suitable for storing the scan results of the sample files, and returns the scan results when receiving a request to inquire whether the file samples are safe;

The gray file samples are file samples with unknown security.

Wherein, the scanning scheduling device is specifically adapted to obtain the false negative rate of the gray document sample according to the attribute of the gray document sample, and select the gray document sample to be scanned from the stored gray document samples according to the false positive rate.

Wherein, the scan scheduling device is further adapted to, for a dangerous file sample in the file sample, determine an identifier that reports the dangerous file sample as a virus file, and the dangerous file sample is a file sample that is reported as a virus file by the identifier;

The sample scanning device is further adapted to obtain a dangerous file sample from the sample storage device, and use the identifier determined by the scan scheduling device to re-scan the obtained dangerous file sample, if the scanning result is that the dangerous file sample is no longer a virus file, then it is determined that the dangerous file sample is a file sample that is falsely reported as a virus file, and the false positive operation is performed on the dangerous file sample.

Wherein, the scanning scheduling device is also suitable for determining the false alarm rate of the dangerous file sample according to the identified identifier after determining the identifier that reports the dangerous file sample as a virus file, and establishing the correspondence between the number of identifiers and the false alarm rate. According to the false alarm rate, the dangerous file samples to be scanned are selected from the dangerous file samples stored in the sample storage device;

The sample scanning device is specifically adapted to, for each dangerous file sample to be scanned, re-scan the dangerous file sample using an identifier that reports the dangerous file sample as a virus file.

Wherein, the killing engine is also suitable for recording the received request in a log when receiving a request to inquire whether the file sample is safe;

The scanning scheduling device is further adapted to extract file samples whose query times are greater than a preset popularity threshold within a preset time according to the records in the log, and the extracted file samples are active file samples.

Wherein, the scanning scheduling device is specifically adapted to extract gray file samples from active file samples, obtain the false negative rate of the gray file sample according to the attributes of the extracted gray file samples, and obtain the false positive rate from the extracted gray file sample according to the obtained false negative rate. From the gray file samples, a gray file sample with a false negative rate greater than a preset false negative rate threshold is selected, and the selected gray file sample is the gray file sample to be scanned.

Wherein, the scan scheduling device is specifically suitable for extracting dangerous file samples from active file samples, determining the identifier that reports the extracted dangerous file sample as a virus file, and obtaining a false positive of the extracted dangerous file sample according to the identified identifier According to the false positive rate, the dangerous document samples whose false positive rate is greater than the preset false positive rate threshold are selected from the extracted dangerous document samples, and the selected dangerous document samples are the dangerous document samples to be scanned.

Wherein, the scanning scheduling device is specifically adapted to calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by statistically analyzing the characteristics of the virus file and the attributes of the gray file sample, and the probability is A parameter to calculate the false negative rate of the gray file sample.

Wherein, the scanning scheduling device is specifically adapted to calculate the probability that the gray file sample may be a virus file according to the statistical result obtained by counting the size of the virus file and the size of the gray file sample;

and / or,

Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the path of the virus file and the path of the gray file sample;

and / or,

According to the list of dangerous operation behaviors obtained by counting the operation behaviors of virus files and the operation behaviors of gray file samples, the probability that the gray file samples may be virus files is calculated.

Wherein, the scan scheduling device is specifically adapted to, for each identifier and each gray file sample to be scanned, calculate the number of scans of the gray file sample corresponding to the identifier according to the number of times the identifier scans the gray file sample. Interval, select the identifier used to scan gray file samples according to the scanning interval.

Wherein, the scanning scheduling device is specifically adapted to select an authenticator that has been updated after the last scan from various authenticators according to the update record.

Wherein, the scanning scheduling device is also adapted to determine whether the first discovery time of the gray file sample is earlier than the preset time threshold before obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample, and if so, then If it is detected that the false negative rate of the gray file sample is 0, if not, the operation of obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample is performed.

According to the technical scheme of file sample scanning of the present invention, when scanning the gray file samples in the file samples, the gray file samples to be scanned are selected from the stored gray file samples according to the preset strategy; Record and/or the scan record of the authenticator to select an authenticator for scanning the gray file sample; use the selected authenticator to scan the gray file sample to be scanned, and store the scanning result, so that when a request to inquire about the security of the file sample is received , return the scan result.

Because, when scanning the gray file sample, the gray file sample is selected according to the preset strategy, and the authenticator is selected according to the update record of the authenticator and/or the scanning record of the authenticator, so it can be ensured that the At the same time, the workload of scanning is reduced, which solves the problem of large resource consumption due to the need to scan all file samples during scanning, saves the resources of scanning devices, speeds up scanning efficiency, and provides scanning Beneficial effect of speed.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

Fig. 1 shows the structural diagram of the scanning system of the document sample according to one embodiment of the present invention;

Fig. 2 shows the flowchart of the scanning method of file sample according to an embodiment of the present invention;

Fig. 3 shows the flowchart of selecting gray file samples according to the false negative rate according to one embodiment of the present invention;

FIG. 4 shows a flow chart of scanning dangerous file samples in a file sample scanning method according to an embodiment of the present invention;

FIG. 5 shows a flow chart of scanning a gray file sample in a method for scanning a file sample according to an embodiment of the present invention;

Fig. 6 shows a flow chart of scanning dangerous file samples in the method for scanning file samples according to an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Referring to FIG. 1 , it shows a system for scanning document samples according to an embodiment of the present invention. The system includes: a sample storage device 100, an antivirus engine 200, a scan scheduling device 300, and a sample scanning device 400 including multiple identifiers. In the system, each device in the system may be located in the same physical device, or it may be that each device in the system is located in different physical devices.

The sample storage device 100 is suitable for storing file samples.

The scan scheduling device 300 is adapted to select the gray file samples to be scanned from the gray file samples stored in the sample storage device 100 according to a preset policy for the gray file samples in the file samples, and according to the update records of each identifier and/or or Authenticator's Scan Record Select the authenticator used to scan the gray file sample. Among them, the identifier can be an antivirus application used to detect the security of file samples, such as bitdefender (Bitdefender, an antivirus application from Romania), an antivirus application provided by QVM (Qihoo Support Vector Machine), and cloud antivirus engine etc. Gray file samples are file samples with unknown security.

Specifically, the scan scheduling device 300 obtains the false negative rate of the gray document sample according to the attribute of the gray document sample, and selects the gray document sample to be scanned from the stored gray document samples according to the false positive rate.

For example, the scan scheduling device 300 calculates the probability that the gray file sample may be a virus file according to the statistical results obtained by statistically counting the characteristics of the virus file and the attributes of the gray file sample, and uses the probability as the basis for calculating the gray file sample. A parameter of the false negative rate of the document sample.

For example, the scan scheduling apparatus 300 makes statistics on the size, path, and/or behavior of virus files, and obtains the probability that the file sample may be a virus file according to the statistical results.

The scanning scheduling apparatus 300 calculates the probability that the gray file sample may be a virus file according to the statistical result obtained by counting the size of the virus file and the size of the gray file sample.

Usually virus files are for spreading, so virus files are relatively small. Statistics on virus files, for example, using Hadoop (a distributed computing platform) to make statistics, obtain a relationship curve between file size and reported virus rate, and obtain the probability that a gray file sample may be a virus file according to the curve.

If only the probability based on the size of the gray file sample is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and the gray file samples whose false negative rate is greater than the preset false negative rate threshold are selected as the ones to be scanned. Gray file sample. For example, the false negative rate threshold is 0.001%, and the virus reporting rate of file samples with a file size of more than 10M is 0.001%, then the gray file samples smaller than 10M are selected as the gray file samples to be scanned.

The scanning scheduling apparatus 300 calculates the probability that the gray file sample may be a virus file according to the statistical result obtained by counting the path of the virus file and the path of the gray file sample.

Through offline statistics of the path of virus files, for example, using hadoop (a distributed computing platform) for statistics, a relationship curve between the file path and the reported virus rate can be obtained, and the gray file sample may be a virus file according to the curve probability.

If only the probability obtained based on the gray file sample path is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and the gray file samples whose false negative rate is greater than the preset false negative rate threshold are selected as the ones to be scanned. Gray file sample.

The scan scheduling device 300 calculates the probability that the gray file sample may be a virus file according to the list of dangerous operation behaviors obtained by counting the operation behaviors of the virus files and the operation behaviors of the gray file samples.

The list of dangerous operational behaviors may include one or more of the following operational behaviors:

Write to the registry for automatic loading;

Modify the registry;

Modify system files;

Modify the specified application file;

Perform inter-process injection;

end process;

Modify the content of web pages in your browser; and

Record keystrokes.

According to the number of dangerous operation behaviors triggered by the gray file sample, the probability that the gray file sample may be a virus file is calculated. The more dangerous operations are triggered, the higher the probability that the gray file sample may be a virus file. For example, the number of dangerous operation behaviors triggered by the gray file samples is obtained, and the number is divided by the total number of dangerous operation behaviors in the list of dangerous operation behaviors to obtain the probability that the gray file samples may be virus files.

If only the probability obtained based on the number of dangerous operation behaviors triggered by gray file samples is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and gray files with a false negative rate greater than the preset false negative rate threshold are selected The sample is a gray file sample to be scanned.

If the multiple probabilities obtained above are used as parameters for calculating the false negative rate, you can set a weight value corresponding to each parameter, and calculate the false positive rate of the gray file sample by summing the weighted parameters.

Wherein, when selecting an authenticator, an authenticator for scanning the gray file sample may be selected according to the scanning records of each authenticator.

For each identifier and each gray file sample to be scanned, the scan scheduling device 300 calculates the scanning interval of the gray file sample corresponding to the identifier according to the number of times the identifier scans the gray file sample, and selects the scanning interval according to the scanning interval. Authenticator for scanning gray file samples. Wherein, the more times of scanning, the longer the scanning interval. For example, the scan interval is calculated using the formula T=(logN)×1.5+1. N is the number of times a certain identifier scans a gray file sample, and T is the scanning interval of the gray file sample corresponding to the identifier.

Wherein, when selecting an authenticator, an authenticator for scanning gray file samples may be selected according to update records of each authenticator. The scan scheduling device 300 selects an identifier that has been updated after the last scan from each identifier according to the update record.

It is also possible to select an authenticator for scanning the gray file sample according to the update record of each authenticator and the scanning record of the authenticator. For example, select the identifiers that have been updated since the last scan, and then select identifiers from the selected identifiers by the scan interval.

The sample scanning device 400 is adapted to obtain gray file samples to be scanned from the sample storage device 100 , use the identifier selected by the scan scheduling device 300 to scan the acquired gray file samples to be scanned, and store the scanning results in the antivirus engine 200 .

The antivirus engine 200 is adapted to store the scanning results of the sample files, and return the scanning results when receiving a request to inquire whether the file samples are safe.

This embodiment reduces the workload of scanning while ensuring to make up for missed reports, thereby solving the problem that all file samples need to be scanned during scanning, resulting in a large amount of resource consumption, and saving the resources of scanning devices. Accelerates the scanning speed, providing the beneficial effect of scanning efficiency.

In a preferred embodiment, the scan scheduling device 300 is also adapted to determine whether the first discovery time of the gray file sample is earlier than the preset time threshold before obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample value, if yes, then detect that the false negative rate of the gray file sample is 0, if not, then perform the above-mentioned operation of obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample.

Because, the earlier the gray file sample is discovered, the less likely it will be missed. When the first discovery time is earlier than the preset time threshold, the gray file sample is no longer scanned, thereby further reducing unnecessary scanning operations, saving resources used for scanning file samples, and improving scanning efficiency.

In another embodiment of the present invention, dangerous file samples in the file samples are scanned. Dangerous file samples are file samples that are reported by the identifier as virus files. For the dangerous file sample, use the identifier that reports it as a virus file to scan the dangerous file sample, if after scanning, these identifiers all determine that the dangerous file sample is not a virus file, then remove the error for the dangerous file sample report operation. The specific technical solution of this embodiment is as follows.

The sample storage device 100 is suitable for storing file samples.

The scan scheduling device 300 is further adapted to determine, for the dangerous file samples in the file samples, an identifier that reports the dangerous file samples as virus files.

The sample scanning device 400 is further adapted to obtain a dangerous file sample from the sample storage device 100, and use the identifier determined by the scan scheduling device 300 to re-scan the obtained dangerous file sample, and if the scanning result shows that the dangerous file sample is no longer a virus file, then It is determined that the dangerous file sample is a file sample that has been falsely reported, and an operation of removing false positives is performed on the dangerous file sample.

Wherein, the false positive removal operation may be to delete the record that the file sample is a virus file, or to update the record of the file sample from a dangerous file sample to a gray file sample or a white file sample. White file samples are file samples that are determined to be harmless.

The antivirus engine 200 is adapted to store the scanning results of the sample files, and return the scanning results when receiving a request to inquire whether the file samples are safe.

Through this embodiment, for a dangerous file sample, only the identifier that reports it as a virus file is used to scan the dangerous file sample, thereby ensuring correction of false positives while reducing scanning operations and improving scanning efficiency.

Further, the false positive rate of the dangerous file samples is calculated, and the dangerous file samples to be scanned are selected according to the false positive rate. This further reduces the number of dangerous file samples scanned.

After the scan scheduling device 300 determines the identifier that reports the dangerous file sample as a virus file, it obtains the false alarm rate of the dangerous file sample according to the determined identifier, and establishes a corresponding relationship between the number of identifiers and the false positive rate. The greater the number of identified identifiers, the lower the false positive rate for the dangerous file sample.

The scanning scheduling device 300 also selects the dangerous file samples to be scanned from the dangerous file samples stored in the sample storage device 100 according to the false positive rate.

For example, for an identifier that reports a dangerous file sample as a virus file, you can set the accuracy rate corresponding to the dangerous file for each identifier, add the accuracy rates to get the sum value, and subtract the sum value from 1 to get the error rate of the dangerous file sample. positive rate, and select dangerous file samples whose false positive rate is greater than the preset false positive rate threshold as the dangerous file samples to be scanned.

When setting the accuracy rate corresponding to the dangerous file, if the analyst sets it as a virus file, directly set the accuracy rate to 1. For each authenticator, the accuracy rate is set according to the trust degree of the authenticator and the number of times the authenticator scans dangerous files, and the higher the number of scans, the higher the accuracy rate. For example, if the degree of trust in antivirus engine A is high, then after the number of scans by antivirus engine A is greater than the scanning threshold, it is determined that the accuracy rate of antivirus engine A corresponding to the dangerous file is 1.

Thus, the dangerous file samples are selected according to the false alarm rate, which further reduces unnecessary scanning operations, saves resources used for scanning file samples, and improves scanning efficiency.

Further, for the determined identifier reporting that the dangerous file sample is a virus file, an identifier for scanning the dangerous file sample is selected according to the update record of the identifier and/or the scanning record of the identifier.

Among the identifiers that determine the dangerous file sample as a virus file, an identifier for scanning the dangerous file sample may be selected according to the scanning records of each identifier.

For each determined identifier and each dangerous file sample to be scanned, the scan scheduling device 300 calculates the scan interval of the dangerous file sample corresponding to the identifier according to the number of times the identifier scans the dangerous file sample, and according to the scan interval Choose an identifier to scan for risky file samples. Wherein, the more times of scanning, the longer the scanning interval. For example, the scan interval is calculated using the formula T=(logN)×1.5+1. N is the number of times a certain identifier scans a certain dangerous file sample, and T is the scanning interval of the dangerous file sample corresponding to the identifier.

Wherein, among the identifiers that determine the dangerous file sample as a virus file, an identifier for scanning the dangerous file sample may be selected according to update records of each identifier. The scan scheduling apparatus 300 selects an identifier that has been updated after the last scan from the identifiers according to the update record.

Alternatively, the authenticator used to scan the dangerous file sample may be selected according to the update record of each authenticator and the scanning record of the authenticator. For example, among the identifiers that determine a dangerous file sample as a virus file, first select an identifier that has been updated after the last scan, and then select an identifier according to the scan interval from the selected identifiers.

Therefore, selecting an authenticator according to the update record of the authenticator and/or the scanning record of the authenticator further reduces unnecessary scanning operations, saves resources used for scanning file samples, and improves scanning efficiency.

In another embodiment of the present invention, the query popularity of file samples is counted, and file samples are selected from active file samples with high popularity, further reducing the number of file samples to be scanned, and improving scanning efficiency.

The antivirus engine 200 is further adapted to record the received request in a log when receiving a request to inquire whether the file sample is safe.

The scanning scheduling device 300 is further adapted to extract file samples whose query times are greater than a preset popularity threshold within a preset time according to the records in the log, and the extracted file samples are active file samples. Active file samples refer to file samples with high popularity and the query frequency is greater than the preset threshold value.

Thus, when the gray file samples are scanned, the scan scheduling device 300 extracts the gray file samples from the active file samples, and obtains the false negative rate of the gray file samples according to the attributes of the extracted gray file samples. From the extracted gray file samples Select the gray file samples whose false negative rate is greater than the preset false negative rate threshold, and use the selected gray file samples as the gray file samples to be scanned.

When a dangerous file sample is scanned, the scan scheduling device 300 extracts a dangerous file sample from active file samples, determines that the extracted dangerous file sample is an identifier for a virus file, and obtains an error rate of the extracted dangerous file sample according to the determined identifier. The alarm rate is selected from the extracted dangerous file samples with a false alarm rate greater than the preset false alarm rate threshold, and the selected dangerous file samples are the dangerous file samples to be scanned.

The scanning of gray file samples will be described below in conjunction with a specific example.

The file sample scanning system includes: a sample storage device 100, an antivirus engine 200, a scan scheduling device 300, and a sample scanning device 400 including multiple identifiers. In this specific example, the MD5 (message digest algorithm version 5) value of the file sample is used as the identifier of the file sample. In addition, the 40-byte character string of md5+sha1 can also be used as the unique identifier of the file sample to avoid the identifier conflict caused by only using md5 as the identifier, that is, when the md5 values calculated for two different file samples are the same , the two file samples have conflicting IDs. The scan scheduling device 300 stores a file sample information library, which stores attribute information and other relevant information of each file sample, for example, for each file sample, stores the size, path, operation behavior of the file sample, and whether the file sample is A dangerous file sample or a gray file sample, when the file sample is a dangerous file sample, report it as a virus file identifier, etc.

The sample storage device 100 stores file samples.

The antivirus engine 200 stores the scan results of the sample files, and returns the scan results when receiving a request to inquire whether the file samples are safe; and records the received request in a log when receiving a request to inquire whether the file samples are safe. The received request includes the MD5 value of the file sample.

The scan scheduling device 300 extracts file samples whose query times are greater than a preset popularity threshold within a preset time according to the records in the log, and the extracted file samples are active file samples.

The scan scheduling device 300 extracts the gray file sample from the active file sample, obtains the attribute of the gray file sample from the file sample information database according to the MD5 value of the gray file sample, and obtains the false negative rate of the gray file sample according to the obtained attribute , selecting a gray file sample whose false negative rate is greater than a preset false negative rate threshold from the extracted gray file samples, and using the selected gray file sample as the gray file sample to be scanned.

The scanning scheduling device 300 selects an authenticator for scanning the gray file sample according to the update record of each authenticator and the scanning record of the authenticator.

The sample scanning device 400 obtains gray file samples to be scanned from the sample storage device 100 , scans the acquired gray file samples using the identifier selected by the scan scheduling device 300 , and stores the scanning results in the antivirus engine 200 .

The following describes the scanning of dangerous file samples in combination with a specific example.

The sample storage device 100 stores file samples.

The antivirus engine 200 stores the scan results of the file samples, and returns the scan results when receiving a request to check whether the file samples are safe; and records the received request in the log when receiving a request to check whether the file samples are safe. The received request includes the MD5 value of the file sample.

The scan scheduling device 300 extracts file samples whose query times are greater than a preset popularity threshold within a preset time according to the records in the log, and the extracted file samples are active file samples.

The scan scheduling device 300 extracts a dangerous file sample from active file samples, reads information in the information base according to the MD5 value of the dangerous file sample, determines that the extracted dangerous file sample is an identifier for a virus file, and obtains The false alarm rate of the extracted risk file samples, the risk file samples whose false alarm rate is greater than the preset false alarm rate threshold are selected from the extracted risk file samples, and the selected risk file samples are the risk files to be scanned. Documentation sample.

For each dangerous file sample to be scanned, the scan scheduling device 300 selects from the determined identifiers that report the dangerous file sample as a virus file according to the update record of the identifier and/or the scan record of the identifier to scan the dangerous file. The identifier for the sample.

The sample scanning device 400 acquires dangerous file samples to be scanned from the sample storage device 100, and for each dangerous file sample to be scanned, re-scans the dangerous file sample using the identifier determined by the scan scheduling device 300, if the scanning result of each identifier is If it is all that the dangerous file sample is no longer a virus file, it is determined that the dangerous file sample is a file sample falsely reported as a virus file, and the false positive operation is performed on the dangerous file sample.

The file scanning system of the present invention has been described above. The system can ensure that missed reports and corrected false reports can be compensated, while reducing the workload of scanning, thereby solving the problem of the need to scan all file samples during scanning, resulting in resource consumption. In order to solve the problem of large volume, the resource of the scanning device is saved, the scanning efficiency is accelerated, and the scanning speed is improved.

Referring to FIG. 2 , it shows a method for scanning a file sample according to an embodiment of the present invention.

Step S210, for the gray file samples in the file samples, select the gray file samples to be scanned from the stored gray file samples according to a preset strategy.

Specifically, in step S210, the false negative rate of the gray document sample is obtained according to the attribute of the gray document sample, and the gray document sample to be scanned is selected from the stored gray document samples according to the false negative rate. For example, according to the statistical results obtained by performing statistics on the characteristics of virus files, and the attributes of gray file samples, the probability that the gray file sample may be a virus file is calculated, and the probability is used as an error in calculating the gray file sample. The parameters of the reporting rate.

For example, the size, path, and/or behavior of the virus file are counted, and the probability that the file sample may be a virus file is obtained based on the statistical results.

According to the statistical result obtained by counting the size of the virus file and the size of the gray file sample, the probability that the gray file sample may be a virus file is calculated.

Usually virus files are for spreading, so virus files are relatively small. Statistics on virus files, for example, using Hadoop (a distributed computing platform) to make statistics, obtain a relationship curve between file size and reported virus rate, and obtain the probability that a gray file sample may be a virus file according to the curve.

If only the probability based on the size of the gray file sample is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and the gray file samples whose false negative rate is greater than the preset false negative rate threshold are selected as the ones to be scanned. Gray file sample. For example, the false negative rate threshold is 0.001%, and the virus reporting rate of file samples with a file size of more than 10M is 0.001%, then the gray file samples smaller than 10M are selected as the gray file samples to be scanned.

According to the statistical result obtained by counting the path of the virus file and the path of the gray file sample, the probability that the gray file sample may be a virus file is calculated.

Through offline statistics of the path of virus files, for example, using hadoop (a distributed computing platform) for statistics, a relationship curve between the file path and the reported virus rate can be obtained, and the gray file sample may be a virus file according to the curve probability.

If only the probability obtained based on the gray file sample path is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and the gray file samples whose false negative rate is greater than the preset false negative rate threshold are selected as the ones to be scanned. Gray file sample.

According to the list of dangerous operation behaviors obtained by counting the operation behaviors of virus files and the operation behaviors of gray file samples, the probability that the gray file samples may be virus files is calculated.

The list of dangerous operational behaviors may include one or more of the following operational behaviors:

Write to the registry for automatic loading;

Modify the registry;

Modify system files;

Modify the specified application file;

Perform inter-process injection;

end process;

Modify the content of web pages in your browser; and

Record keystrokes.

According to the number of dangerous operation behaviors triggered by the gray file sample, the probability that the gray file sample may be a virus file is calculated. The more dangerous operations are triggered, the higher the probability that the gray file sample may be a virus file. For example, the number of dangerous operation behaviors triggered by the gray file samples is obtained, and the number is divided by the total number of dangerous operation behaviors in the list of dangerous operation behaviors to obtain the probability that the gray file samples may be virus files.

If only the probability obtained based on the number of dangerous operation behaviors triggered by gray file samples is used as the parameter for calculating the false negative rate, then this probability is used as the false negative rate, and gray files with a false negative rate greater than the preset false negative rate threshold are selected The sample is a gray file sample to be scanned.

If the multiple probabilities obtained above are used as parameters for calculating the false negative rate, you can set a weight value corresponding to each parameter, and calculate the false positive rate of the gray file sample by summing the weighted parameters.

Step S220, selecting an authenticator for scanning the gray file sample according to the update record of each authenticator and/or the scanning record of the authenticator.

Among them, the identifier can be an antivirus application used to detect the security of file samples, such as bitdefender (Bitdefender, an antivirus application from Romania), and antivirus applications and cloud antivirus engines provided by QVM (Qihoo Support Vector Machine) wait. Gray file samples are file samples with unknown security.

Specifically, when selecting an authenticator, an authenticator for scanning the gray file sample may be selected according to the scanning records of each authenticator.

For each identifier and each gray file sample to be scanned, according to the number of times the identifier scans the gray file sample, calculate the scanning interval of the gray file sample corresponding to the identifier, and select the scanning interval for scanning the gray file according to the scanning interval The identifier for the sample. Wherein, the more times of scanning, the longer the scanning interval. For example, the scan interval is calculated using the formula T=(logN)×1.5+1. N is the number of times a certain identifier scans a gray file sample, and T is the scanning interval of the gray file sample corresponding to the identifier.

Wherein, when selecting an authenticator, an authenticator for scanning the gray file sample may also be selected according to update records of each authenticator. Specifically, the identifier that has been updated after the last scan is selected from each identifier according to the update record.

It is also possible to select an authenticator for scanning the gray file sample according to the update record of each authenticator and the scanning record of the authenticator. For example, select the identifiers that have been updated since the last scan, and then select identifiers from the selected identifiers by the scan interval.

Step S230, using the selected identifier to scan the gray file sample to be scanned, and storing the scanning result, so that the scanning result can be returned when receiving a request to inquire whether the file sample is safe.

This embodiment reduces the workload of scanning while ensuring to make up for missed reports, thereby solving the problem that all file samples need to be scanned during scanning, resulting in a large amount of resource consumption, and saving the resources of scanning devices. Accelerates the scanning speed, providing the beneficial effect of scanning efficiency.

In a preferred embodiment, as shown in FIG. 3 , which is a flow chart of selecting gray file samples according to the false negative rate according to an embodiment of the present invention, the step S210 includes the following steps.

Step S2102, extract gray file samples.

Step S2104, judge whether the first discovery time of the gray file sample is earlier than the preset time threshold, if yes, execute step S2106, if not, execute step S2108.

In step S2106, it is detected that the false negative rate of the gray file sample is 0, and step S2110 is executed.

In step S2108, the false negative rate of the gray file sample is obtained according to the attribute of the gray file sample, and step S2110 is executed.

Step S2110, judging whether the gray file sample has been extracted, if yes, execute step S2112, otherwise, execute step S2102.

Step S2112, selecting a gray file sample to be scanned from the stored gray file samples according to the false negative rate.

Because, the earlier the gray file sample is discovered, the less likely it will be missed. When the first discovery time is earlier than the preset time threshold, the gray file sample is no longer scanned, thereby further reducing unnecessary scanning operations, saving resources used for scanning file samples, and improving scanning efficiency.

In another embodiment of the present invention, dangerous file samples in the file samples are scanned. Dangerous file samples are file samples that are reported by the identifier as virus files. For the dangerous file sample, use the identifier that reports it as a virus file to scan the dangerous file sample, if after scanning, these identifiers all determine that the dangerous file sample is not a virus file, then remove the error for the dangerous file sample report operation. The specific technical solution of this embodiment is as follows.

Referring to FIG. 4 , it shows the process of scanning dangerous file samples in the method for scanning file samples according to an embodiment of the present invention, including the following steps.

Step S410, for a dangerous file sample in the file samples, determine an identifier that reports the dangerous file sample as a virus file.

Step S420, re-scanning the obtained dangerous file sample with the identifier that reports the dangerous file sample as a virus file, and if the scanning result shows that the dangerous file sample is no longer a virus file, then determine that the dangerous file sample is falsely reported as a virus file A file sample, performing a false positive removal operation on the dangerous file sample.

Wherein, the false positive removal operation may be to delete the record that the file sample is a virus file, or to update the record of the file sample from a dangerous file sample to a gray file sample or a white file sample. White file samples are file samples that are determined to be harmless.

Through this embodiment, for a dangerous file sample, only the identifier that reports it as a virus file is used to scan the dangerous file sample, thereby ensuring correction of false positives while reducing scanning operations and improving scanning efficiency.

Further, the false positive rate of the dangerous file samples is calculated, and the dangerous file samples to be scanned are selected according to the false positive rate. This further reduces the number of dangerous file samples scanned.

After step S410, it includes: obtaining the false alarm rate of the dangerous file sample according to the determined identifier, establishing the corresponding relationship between the number of identifiers and the false alarm rate, and selecting the dangerous file to be scanned from the stored dangerous file samples according to the false alarm rate. sample. Wherein, the greater the number of identified identifiers, the lower the false positive rate of the dangerous file sample.

For example, for an identifier that reports a dangerous file sample as a virus file, you can set the accuracy rate corresponding to the dangerous file for each identifier, add the accuracy rates to get the sum value, and subtract the sum value from 1 to get the error rate of the dangerous file sample. positive rate, and select dangerous file samples whose false positive rate is greater than the preset false positive rate threshold as dangerous file samples to be scanned.

When setting the accuracy rate corresponding to the dangerous file, if the analyst sets it as a virus file, directly set the accuracy rate to 1. For each authenticator, the accuracy rate is set according to the trust degree of the authenticator and the number of times the authenticator scans dangerous files, and the higher the number of scans, the higher the accuracy rate. For example, if the degree of trust in antivirus engine A is high, then after the number of scans by antivirus engine A is greater than the scanning threshold, it is determined that the accuracy rate of antivirus engine A corresponding to the dangerous file is 1.

Thus, the dangerous file samples are selected according to the false alarm rate, which further reduces unnecessary scanning operations, saves resources used for scanning file samples, and improves scanning efficiency.

Further, after step S410, for the determined identifier reporting that the dangerous file sample is a virus file, selecting an identifier for scanning the dangerous file sample according to the update record of the identifier and/or the scanning record of the identifier.

Among the identifiers that determine the dangerous file sample as a virus file, an identifier for scanning the dangerous file sample may be selected according to the scanning records of each identifier.

For each determined identifier and each dangerous file sample to be scanned, according to the number of times the identifier scans the dangerous file sample, calculate the scanning interval of the dangerous file sample corresponding to the identifier, and select the scan interval for scanning according to the scanning interval An identifier for dangerous file samples. Wherein, the more times of scanning, the longer the scanning interval. For example, the scan interval is calculated using the formula T=(logN)×1.5+1. N is the number of times a certain identifier scans a certain dangerous file sample, and T is the scanning interval of the dangerous file sample corresponding to the identifier.

Wherein, among the identifiers that determine the dangerous file sample as a virus file, an identifier for scanning the dangerous file sample may be selected according to update records of each identifier. For example, based on the update record, select from among the authenticators that have been updated since the last scan.

Alternatively, the authenticator used to scan the dangerous file sample may be selected according to the update record of each authenticator and the scanning record of the authenticator. For example, among the identifiers that determine a dangerous file sample as a virus file, first select an identifier that has been updated after the last scan, and then select an identifier according to the scan interval from the selected identifiers.

Therefore, selecting an authenticator according to the update record of the authenticator and/or the scanning record of the authenticator further reduces unnecessary scanning operations, saves resources used for scanning file samples, and improves scanning efficiency.

In another embodiment of the present invention, the query popularity of file samples is counted, and file samples are selected from active file samples with high popularity, further reducing the number of file samples to be scanned, and improving scanning efficiency.

The method also includes:

When receiving a request to inquire whether a file sample is safe, record the received request in a log.

According to the records in the log, the file samples whose query times are greater than the preset popularity threshold within the preset time are extracted, and the extracted file samples are active file samples. Active file samples refer to file samples with high popularity and the query frequency is greater than the preset threshold value.

Thus, when scanning a gray file sample, the under-reporting rate of the gray file sample obtained according to the attributes of the gray file sample specifically includes: extracting the gray file sample from the active file sample, and obtaining the gray file sample according to the attribute of the extracted gray file sample. The false negative rate of the gray file sample. Said selecting the gray file samples to be scanned from the stored gray file samples according to the false negative rate specifically includes: selecting the gray file samples whose false negative rate is greater than the preset false positive rate threshold from the extracted gray file samples, and using the selected The gray file sample is a gray file sample to be scanned.

When scanning the dangerous file samples, the determining the identifier for reporting the dangerous file samples as virus files specifically includes: extracting the dangerous file samples from the active file samples, and determining the identifier for reporting the extracted dangerous file samples as virus files. The selection of the dangerous file samples to be scanned from the stored dangerous file samples according to the false alarm rate specifically includes: selecting the dangerous file samples whose false alarm rate is greater than the preset false alarm rate threshold from the extracted dangerous file samples, and using the selected The error file sample is a dangerous file sample to be scanned.

The scanning of gray file samples will be described below in conjunction with a specific example.

In this specific example, the MD5 (message digest algorithm version 5) value of the file sample is used as the identifier of the file sample. In addition, the 40-byte character string of md5+sha1 can also be used as the unique identifier of the file sample to avoid the identifier conflict caused by only using md5 as the identifier, that is, when the md5 values calculated for two different file samples are the same , the two file samples have conflicting IDs. In the file sample information base, attribute information and other relevant information of each file sample are stored, for example, for each file sample, the size, path, operation behavior of the file sample, and whether the file sample is a black or gray file sample are stored , an identifier that reports it as a virus file, etc.

Referring to FIG. 5 , it shows a flow chart of scanning a gray document sample in a method for scanning a document sample according to an embodiment of the present invention.

Step S510, receiving a request to inquire whether the file sample is safe, returning the stored scanning result of the file sample in the request, and recording the received request in the log.

Specifically, the received request includes the MD5 value of the file sample, the scan result is searched according to the MD5 value, and the request is recorded according to the MD5 value.

Step S520, according to the records in the log, extract file samples whose query times are greater than a preset popularity threshold within a preset time, and the extracted file samples are active file samples.

Step S530, extract the gray file sample from the active file sample, obtain the attribute of the gray file sample from the file sample information base according to the MD5 value of the gray file sample, and obtain the false negative rate of the gray file sample according to the obtained attribute, A gray file sample whose false negative rate is greater than a preset false negative rate threshold is selected from the extracted gray file samples.

Step S540, selecting an authenticator for scanning the gray file sample according to the update record of each authenticator and the scanning record of the authenticator.

Step S550, using the selected identifier to scan the acquired gray file sample, and store the scanning result.

The following describes the scanning of dangerous file samples in conjunction with a specific example.

Referring to FIG. 6 , it shows a flow chart of scanning dangerous file samples in the method for scanning file samples according to an embodiment of the present invention.

Step S610, receiving a request to inquire whether the file sample is safe, returning the stored scanning result of the file sample in the request, and recording the received request in the log.

Specifically, the received request includes the MD5 value of the file sample, the scan result is searched according to the MD5 value, and the request is recorded according to the MD5 value.

Step S620, according to the records in the log, extract file samples whose query times are greater than a preset popularity threshold within a preset time, and the extracted file samples are active file samples.

Step S630, extracting a dangerous file sample from active file samples, reading the information in the information base according to the MD5 value of the dangerous file sample, and determining the identifier that reports the extracted dangerous file sample as a virus file.

Step S640, obtain the false positive rate of the extracted dangerous file samples according to the determined identifier, and select the dangerous file samples whose false positive rate is greater than the preset false positive rate threshold as the dangerous files to be scanned from the extracted dangerous file samples sample.

Step S650, for each dangerous file sample to be scanned, from the identified identifiers that report the dangerous file sample as a virus file, select an identifier for scanning the dangerous file sample according to the update record of the identifier and the scan record of the identifier. authenticator.

Step S660, for each dangerous file sample to be scanned, use the selected identifier to re-scan the dangerous file sample, if the scanning result is that the dangerous file sample is no longer a virus file, then determine that the dangerous file sample is a false positive A file sample, performing a false positive removal operation on the dangerous file sample.

The document scanning method of the present invention has been described above. This method can ensure that missed reports and correct false reports can be compensated, while reducing the workload of scanning, thereby solving the problem of the need to scan all document samples during scanning, resulting in resource consumption. In order to solve the problem of large volume, the resource of the scanning device is saved, the scanning efficiency is accelerated, and the scanning speed is improved.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the document sample scanning system according to the embodiment of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

Claims (20)

1. A scanning method of a file sample, said method comprising: For the gray file samples in the file samples, the gray file samples to be scanned are selected from the stored gray file samples according to a preset strategy; Selecting an authenticator for scanning the gray file sample according to the update record of each authenticator and/or the scanning record of the authenticator; Use the selected identifier to scan the gray file sample to be scanned, and store the scanning result, so that when a request is received to inquire whether the file sample is safe, the scanning result is returned; The gray file sample is a file sample with unknown security; Wherein, the selection of the gray file samples to be scanned from the stored gray file samples according to the preset strategy specifically includes: According to the attribute of the gray file sample, the false negative rate of the gray file sample is obtained, and the gray file sample to be scanned is selected from the stored gray file samples according to the false negative rate; Before the false negative rate of the gray file sample is obtained according to the attribute of the gray file sample, it also includes: Determine whether the first discovery time of the gray file sample is earlier than the preset time threshold, if yes, detect that the false negative rate of the gray file sample is 0, if not, then perform the gray file sample according to the attributes of the gray file sample to obtain gray The operation of the false negative rate of the file sample. 2. The method of claim 1, wherein, The method also includes: For a dangerous file sample in the file sample, determine an identifier that reports the dangerous file sample as a virus file, and the dangerous file sample is a file sample that is reported as a virus file by the identifier; Use the identifier that reports the dangerous file sample as a virus file to re-scan the dangerous file sample, and if the scanning result shows that the dangerous file sample is no longer a virus file, then determine that the dangerous file sample is a file sample that has been falsely reported as a virus file, and the Dangerous file samples are removed from false positives. 3. The method of claim 2, wherein, After determining that the identifier reporting the dangerous file sample is a virus file, the method further includes: According to the identified identifiers, the false alarm rate of the dangerous file sample is obtained, and the corresponding relationship between the number of identifiers and the false alarm rate is established; Select the dangerous file samples to be scanned from the stored dangerous file samples according to the false positive rate; The re-scanning of the dangerous file sample using the identifier that reports the dangerous file sample as a virus file specifically includes: For each dangerous file sample to be scanned, the dangerous file sample is rescanned using an identifier that reported the dangerous file sample as a virus file. 4. The method according to any one of claims 1 to 3, wherein, The method also includes: When receiving a request to inquire whether a file sample is safe, record the received request in a log; According to the records in the log, the file samples whose query times are greater than the preset popularity threshold within the preset time are extracted, and the extracted file samples are active file samples. 5. The method of claim 4, wherein, The underreporting rate of the gray file sample according to the attribute of the gray file sample specifically includes: Extract the gray file sample from the active file sample, and obtain the false negative rate of the gray file sample according to the attributes of the extracted gray file sample; The gray file samples to be scanned are selected from the stored gray file samples according to the false negative rate and specifically include: From the extracted gray file samples, a gray file sample with a false negative rate greater than a preset false negative rate threshold is selected, and the selected gray file sample is used as a gray file sample to be scanned. 6. The method of claim 4, wherein, The identifier for determining that the reported dangerous file sample is a virus file specifically includes: Extracting dangerous file samples from active file samples, and determining that the extracted dangerous file samples are an identifier for virus files; The selection of the dangerous file samples to be scanned from the stored dangerous file samples according to the false alarm rate specifically includes: A dangerous file sample with a false positive rate greater than a preset false positive rate threshold is selected from the extracted dangerous file samples, and the selected dangerous file sample is used as a dangerous file sample to be scanned. 7. The method of claim 1, wherein, The underreporting rate of the gray file sample according to the attribute of the gray file sample specifically includes: According to the statistics of the characteristics of the virus file and the attributes of the gray file sample, the probability that the gray file sample may be a virus file is calculated, and this probability is used as a parameter for calculating the false negative rate of the gray file sample . 8. The method of claim 7, wherein, According to the statistical results obtained by performing statistics on the characteristics of virus files, and the attributes of gray file samples, calculating the probability that the gray file samples may be virus files specifically includes: Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the size of the virus file and the size of the gray file sample; and / or, Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the path of the virus file and the path of the gray file sample; and / or, According to the list of dangerous operation behaviors obtained by counting the operation behaviors of virus files and the operation behaviors of gray file samples, the probability that the gray file samples may be virus files is calculated. 9. The method of claim 1, wherein, The selection of the identifier for scanning the gray file sample according to the scanning records of each identifier specifically includes: For each identifier and each gray file sample to be scanned, calculate the scanning interval of the gray file sample corresponding to the identifier according to the number of times the identifier scans the gray file sample; Select the identifier used to scan gray file samples based on the scan interval. 10. The method of claim 1, wherein, The selection of the identifier for scanning the gray file sample according to the update record of each identifier specifically includes: Selects from each authenticator the one that has been updated since the last scan based on the update record. 11. A scanning system for file samples, said system comprising: a sample storage device, an anti-virus engine, a scanning scheduling device and a sample scanning device comprising a plurality of identifiers; The sample storage device is suitable for storing file samples; The scanning scheduling device is adapted to select the gray file samples to be scanned from the gray file samples stored in the sample storage device according to a preset strategy for the gray file samples in the file samples, and select the gray file samples to be scanned according to the update records of each identifier and/or the authenticator's scan records to select the authenticator used to scan the gray file sample; The sample scanning device is adapted to acquire gray file samples to be scanned from the sample storage device, use the identifier selected by the scan scheduling device to scan the obtained gray file samples to be scanned, and store the scanning results in the scanning engine; The killing engine is suitable for storing the scan results of the sample files, and returns the scan results when receiving a request to inquire whether the file samples are safe; The gray file sample is a file sample with unknown security; Wherein, the scanning scheduling device is specifically adapted to obtain the false negative rate of the gray document sample according to the attribute of the gray document sample, and select the gray document sample to be scanned from the stored gray document samples according to the false positive rate; The scanning scheduling device is also suitable for judging whether the first discovery time of the gray file sample is earlier than the preset time threshold before obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample, and if so, detecting The false negative rate of the gray file sample is 0, if not, perform the operation of obtaining the false negative rate of the gray file sample according to the attributes of the gray file sample. 12. The system of claim 11, wherein, The scan scheduling device is further adapted to determine, for a dangerous file sample among the file samples, an identifier that reports the dangerous file sample as a virus file, and the dangerous file sample is a file sample that is reported as a virus file by the identifier; The sample scanning device is further adapted to obtain a dangerous file sample from the sample storage device, and use the identifier determined by the scan scheduling device to re-scan the obtained dangerous file sample, if the scanning result is that the dangerous file sample is no longer a virus file, then it is determined that the dangerous file sample is a file sample that is falsely reported as a virus file, and the false positive operation is performed on the dangerous file sample. 13. The system of claim 12, wherein, The scanning scheduling device is further adapted to determine the false alarm rate of the dangerous file sample according to the determined identifier after determining the identifier that reports the dangerous file sample as a virus file, and establish a corresponding relationship between the number of identifiers and the false alarm rate, selecting a dangerous file sample to be scanned from the dangerous file samples stored in the sample storage device according to the false positive rate; The sample scanning device is specifically adapted to, for each dangerous file sample to be scanned, re-scan the dangerous file sample using an identifier that reports the dangerous file sample as a virus file. 14. A system according to any one of claims 11 to 13, wherein, The killing engine is also adapted to record the received request in a log when receiving a request to inquire whether the file sample is safe; The scanning scheduling device is further adapted to extract file samples whose query times are greater than a preset popularity threshold within a preset time according to the records in the log, and the extracted file samples are active file samples. 15. The system of claim 14, wherein, The scanning scheduling device is specifically adapted to extract gray file samples from active file samples, obtain the false negative rate of the gray file sample according to the attributes of the extracted gray file samples, and obtain the false negative rate from the extracted gray file samples according to the obtained false negative rate. Gray file samples with a false negative rate greater than a preset false negative rate threshold are selected from the samples, and the selected gray file samples are the gray file samples to be scanned. 16. The system of claim 14, wherein, The scanning scheduling device is specifically suitable for extracting dangerous file samples from active file samples, determining the identifier that reports the extracted dangerous file sample as a virus file, and obtaining the false alarm rate of the extracted dangerous file sample according to the determined identifier, Selecting dangerous file samples with a false positive rate greater than a preset false positive rate threshold from the extracted dangerous file samples according to the false positive rate, and using the selected dangerous file samples as dangerous file samples to be scanned. 17. The system of claim 11, wherein, The scanning scheduling device is specifically adapted to calculate the probability that the gray file sample may be a virus file based on the statistical results obtained by statistically counting the characteristics of the virus file and the attributes of the gray file sample, and use this probability as the basis for calculating the The parameter of the false negative rate of the gray file sample. 18. The system of claim 17, wherein, The scanning scheduling device is specifically adapted to calculate the probability that the gray file sample may be a virus file according to the statistical result obtained by counting the size of the virus file and the size of the gray file sample; and / or, Calculate the probability that the gray file sample may be a virus file according to the statistical results obtained by counting the path of the virus file and the path of the gray file sample; and / or, According to the list of dangerous operation behaviors obtained by counting the operation behaviors of virus files and the operation behaviors of gray file samples, the probability that the gray file samples may be virus files is calculated. 19. The system of claim 11, wherein: The scan scheduling device is specifically adapted to calculate, for each identifier and each gray file sample to be scanned, the scanning interval of the gray file sample corresponding to the identifier according to the number of times the identifier scans the gray file sample, Select the identifier used to scan gray file samples based on the scan interval. 20. The system of claim 11, wherein: The scanning scheduling device is specifically adapted to select an authenticator that has been updated after the last scan from various authenticators according to the update record.