CN112580036B

Movatterモバイル変換

Info

Publication number: CN112580036B
Application number: CN201910943741.6A
Authority: CN
Inventors: 万仁国
Original assignee: Qianxin Safety Technology Zhuhai Co Ltd; Qax Technology Group Inc
Current assignee: Qianxin Safety Technology Zhuhai Co Ltd; Qax Technology Group Inc
Priority date: 2019-09-30
Filing date: 2019-09-30
Publication date: 2024-01-30
Anticipated expiration: 2039-09-30
Also published as: CN112580036A

Abstract

The invention discloses a virus defense optimization method and device, a storage medium and computer equipment, relates to the technical field of network security, and mainly aims to solve the problem that the defense of a computer system is invalid because the existing defense of computer viruses is only realized by storing virus characteristics into a virus library and writing a targeted searching and killing tool cannot meet the defense requirement of novel computer viruses. Comprising the following steps: judging whether feature information in the target file is matched with defense feature information in a preset defense feature library, wherein the defense feature information in the preset defense feature library is determined according to expected searching and killing and/or repairing of suspicious files under different defense scenes; and if the characteristic information is matched with the defending characteristic information, the defending operation bound with the defending characteristic information is called, and the defending operation is executed. The method is mainly used for optimizing virus defense.

Description

Translated fromChinese

病毒防御的优化方法及装置、存储介质、计算机设备Optimized methods and devices for virus defense, storage media, and computer equipment

技术领域Technical field

本发明涉及一种网络安全技术领域，特别是涉及一种病毒防御的优化方法及装置、存储介质、计算机设备。The present invention relates to the field of network security technology, and in particular to an optimization method and device for virus defense, storage media, and computer equipment.

背景技术Background technique

随着网络安全重视程度的提高，病毒木马等会对网络安全造成危害的计算机病毒逐渐进入人们的视线。其中，对于病毒木马等计算机病毒防御是通过获取病毒木马样本，提取特征，并将此特征作为检测特征配置于病毒库中，下发到安全软件中，以完成病毒木马的查杀。With the increasing emphasis on network security, computer viruses that can cause harm to network security, such as viruses and Trojans, have gradually come into people’s sight. Among them, the defense against computer viruses such as viruses and Trojans is to obtain virus and Trojan samples, extract features, configure these features as detection features in the virus database, and send them to security software to complete the detection and killing of viruses and Trojans.

目前，现有对计算机病毒的防御仅仅通过将病毒特征存储至病毒库后，编写具有针对性的查杀工具，无法快速满足新型计算机病毒的防御需求，造成计算机系统防御的失效，且对技术人员编写查杀工具的需求较高，又增大了计算机病毒的防御成本。At present, the existing defense against computer viruses only relies on storing virus characteristics in virus databases and then writing targeted killing tools, which cannot quickly meet the defense needs of new computer viruses, resulting in the failure of computer system defense and putting a heavy burden on technical personnel. The demand for writing anti-virus tools is high, which also increases the cost of computer virus defense.

发明内容Contents of the invention

有鉴于此，本发明提供一种病毒防御的优化方法及装置、存储介质、计算机设备，主要目的在于解决现有对计算机病毒的防御仅仅通过将病毒特征存储至病毒库后，编写具有针对性的查杀工具，无法快速满足新型计算机病毒的防御需求，造成计算机系统防御的失效的问题。In view of this, the present invention provides an optimization method and device, storage medium, and computer equipment for virus defense. The main purpose is to solve the existing defense against computer viruses by simply storing virus characteristics in a virus database and writing targeted viruses. Scanning and killing tools cannot quickly meet the defense needs of new computer viruses, causing the problem of computer system defense failure.

依据本发明一个方面，提供了一种病毒防御的优化方法，包括：According to one aspect of the present invention, an optimization method for virus defense is provided, including:

判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配，所述预置防御特征库中的防御特征信息是根据不同防御场景下对可疑文件预期查杀、和/或修复确定的；Determine whether the feature information in the target file matches the defense feature information in the preset defense feature database. The defense feature information in the preset defense feature database is based on the expected killing and/or repair of suspicious files in different defense scenarios. definite;

若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。If the characteristic information matches the defense characteristic information, the defense operation bound to the defense characteristic information is called and the defense operation is executed.

进一步地，所述判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配之前，所述方法还包括：Further, before determining whether the feature information in the target file matches the defense feature information in the preset defense feature library, the method further includes:

按照预设时间间隔加载不同防御场景下的可疑文件；Load suspicious files in different defense scenarios according to preset time intervals;

解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件；Analyze whether the expected action performed by the suspicious file triggers a killing event and/or a repair event;

若触发查杀事件、和/或修复事件，则将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中。If a killing event and/or a repair event is triggered, the feature information in the suspicious file is determined as defense feature information and updated to the preset defense feature database.

进一步地，所述解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件包括：Further, whether the expected action performed by parsing the suspicious file triggers a killing event and/or a repair event includes:

复制所述可疑文件所执行的预期动作对应的全部文件；Copy all files corresponding to the expected actions performed by the suspicious file;

在预置执行环境中执行所述可疑文件及所述全部文件，判断执行操作中是否存在攻击操作，以确定是否触发查杀事件、和/或修复事件。Execute the suspicious file and all the files in the preset execution environment, determine whether there is an attack operation in the execution operation, and determine whether a killing event and/or a repair event is triggered.

进一步地，所述将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中之后，所述方法还包括：Further, after determining the characteristic information in the suspicious file as defense characteristic information and updating it to the preset defense characteristic database, the method further includes:

从查杀代码库、和/或修复代码库中查找与所述防御特征信息匹配的查杀代码、和/或修复代码，并进行绑定，所述查杀代码库、和/或修复代码库中更新有对不同计算机病毒预期进行查杀的代码、和/或修复的代码。Find the killing code and/or repair code that match the defense feature information from the killing code library and/or repair code library, and bind the killing code library and/or repair code library. Codes for anti-virus and/or repair of different computer viruses are updated.

进一步地，所述方法还包括：Further, the method also includes:

若所述特征信息与防御特征信息不匹配，则放行所述目标文件。If the characteristic information does not match the defense characteristic information, the target file is released.

检测所述预置防御特征库的版本信息是否匹配更新的版本信息；Detect whether the version information of the preset defense signature database matches the updated version information;

若匹配，则执行判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配的步骤；If there is a match, perform the step of determining whether the feature information in the target file matches the defense feature information in the preset defense feature database;

若不匹配，则更新所述预置防御特征库。If there is no match, the preset defense signature database is updated.

进一步地，所述方法还包括：Further, the method also includes:

输出执行所述防御操作的目标文件。Output the target file that performs the defensive operation.

依据本发明一个方面，提供了一种病毒防御的优化装置，包括：According to one aspect of the present invention, an optimization device for virus defense is provided, including:

判定模块，用于判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配，所述预置防御特征库中的防御特征信息是根据不同防御场景下对可疑文件预期查杀、和/或修复确定的；The determination module is used to determine whether the feature information in the target file matches the defense feature information in the preset defense feature database. The defense feature information in the preset defense feature database is based on the expected killing of suspicious files in different defense scenarios. , and/or repair determined;

调取模块，用于若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。A retrieval module, configured to retrieve a defense operation bound to the defense feature information and execute the defense operation if the feature information matches the defense feature information.

进一步地，所述装置还包括：Further, the device also includes:

加载模块，用于按照预设时间间隔加载不同防御场景下的可疑文件；The loading module is used to load suspicious files in different defense scenarios according to preset time intervals;

解析模块，用于解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件；An analysis module, used to analyze whether the expected action performed by the suspicious file triggers a killing event and/or a repair event;

确定模块，用于若触发查杀事件、和/或修复事件，则将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中。A determination module, configured to determine the feature information in the suspicious file as defense feature information if a killing event and/or a repair event is triggered, and update the feature information to the preset defense feature database.

进一步地，所述解析模块包括：Further, the parsing module includes:

复制单元，用于复制所述可疑文件所执行的预期动作对应的全部文件；A copy unit, used to copy all files corresponding to the expected actions performed by the suspicious file;

判定单元，用于在预置执行环境中执行所述可疑文件及所述全部文件，判断执行操作中是否存在攻击操作，以确定是否触发查杀事件、和/或修复事件。A determination unit, configured to execute the suspicious file and all the files in a preset execution environment, determine whether there is an attack operation in the execution operation, and determine whether to trigger a killing event and/or a repair event.

进一步地，所述装置还包括：Further, the device also includes:

绑定模块，用于从查杀代码库、和/或修复代码库中查找与所述防御特征信息匹配的查杀代码、和/或修复代码，并进行绑定，所述查杀代码库、和/或修复代码库中更新有对不同计算机病毒预期进行查杀的代码、和/或修复的代码。The binding module is used to search for the killing code and/or repair code that match the defense feature information from the killing code library and/or the repair code library, and bind the killing code library, And/or the repair code base is updated with codes that are expected to detect and kill different computer viruses, and/or repair codes.

进一步地，所述装置还包括：Further, the device also includes:

放行模块，用于若所述特征信息与防御特征信息不匹配，则放行所述目标文件。A release module, configured to release the target file if the feature information does not match the defense feature information.

进一步地，所述装置还包括：Further, the device also includes:

检测模块，用于检测所述预置防御特征库的版本信息是否匹配更新的版本信息；A detection module, used to detect whether the version information of the preset defense signature database matches the updated version information;

执行模块，用于若匹配，则执行判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配的步骤；The execution module is used to execute the step of judging whether the feature information in the target file matches the defense feature information in the preset defense feature library if there is a match;

更新模块，用于若不匹配，则更新所述预置防御特征库。An update module, used to update the preset defense signature database if there is no match.

进一步地，所述装置还包括：Further, the device also includes:

输出模块，用于输出执行所述防御操作的目标文件。An output module is used to output the target file for performing the defense operation.

根据本发明的又一方面，提供了一种存储介质，所述存储介质中存储有至少一可执行指令，所述可执行指令使处理器执行如上述病毒防御的优化方法对应的操作。According to another aspect of the present invention, a storage medium is provided, and at least one executable instruction is stored in the storage medium. The executable instruction causes the processor to perform operations corresponding to the above-mentioned optimization method for virus defense.

根据本发明的再一方面，提供了一种计算机设备，包括：处理器、存储器、通信接口和通信总线，所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信；According to yet another aspect of the present invention, a computer device is provided, including: a processor, a memory, a communication interface, and a communication bus. The processor, the memory, and the communication interface complete mutual communication through the communication bus. communication;

所述存储器用于存放至少一可执行指令，所述可执行指令使所述处理器执行上述病毒防御的优化方法对应的操作。The memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform operations corresponding to the optimization method for virus defense.

借由上述技术方案，本发明实施例提供的技术方案至少具有下列优点：Through the above technical solutions, the technical solutions provided by the embodiments of the present invention have at least the following advantages:

本发明提供了一种病毒防御的优化方法及装置、存储介质、计算机设备，与现有对计算机病毒的防御仅仅通过将病毒特征存储至病毒库后，编写具有针对性的查杀工具相比，本发明实施例通过判定目标文件中的特征信息与预期查杀、和/或修复的可疑文件中特征信息确定的防御特征信息是否匹配，若匹配，则调取绑定的防御操作进行防御，实现预先对快速变化的病毒进行防御的目的，满足新型病毒产生时，预先查杀或修复的目的，减少系统防御的失效可能性，降低技术人员的操作要求及防御成本，从而提高计算机病毒的防御效率。The present invention provides an optimization method and device, storage medium, and computer equipment for virus defense. Compared with the existing defense against computer viruses, which only consists of storing virus characteristics in a virus database and writing targeted killing tools. The embodiment of the present invention determines whether the characteristic information in the target file matches the defense characteristic information determined by the characteristic information in the suspicious file that is expected to be killed and/or repaired. If it matches, the bound defense operation is called for defense. The purpose of pre-defense against rapidly changing viruses is to meet the purpose of pre-checking or repairing new viruses when they are generated, reducing the possibility of system defense failure, reducing the operating requirements and defense costs of technical personnel, thereby improving the defense efficiency of computer viruses. .

上述说明仅是本发明技术方案的概述，为了能够更清楚了解本发明的技术手段，而可依照说明书的内容予以实施，并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂，以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to have a clearer understanding of the technical means of the present invention, it can be implemented according to the content of the description, and in order to make the above and other objects, features and advantages of the present invention more obvious and understandable. , the specific embodiments of the present invention are listed below.

附图说明Description of the drawings

通过阅读下文优选实施方式的详细描述，各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的，而并不认为是对本发明的限制。而且在整个附图中，用相同的参考符号表示相同的部件。在附图中：Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for the purpose of illustrating preferred embodiments only and are not to be construed as limiting the invention. Also throughout the drawings, the same reference characters are used to designate the same components. In the attached picture:

图1示出了本发明实施例提供的一种病毒防御的优化方法流程图；Figure 1 shows a flow chart of a virus defense optimization method provided by an embodiment of the present invention;

图2示出了本发明实施例提供的另一种病毒防御的优化方法流程图；Figure 2 shows a flow chart of another virus defense optimization method provided by an embodiment of the present invention;

图3示出了本发明实施例提供的一种病毒防御的优化装置框图；Figure 3 shows a block diagram of an optimization device for virus defense provided by an embodiment of the present invention;

图4示出了本发明实施例提供的另一种病毒防御的优化装置框图；Figure 4 shows a block diagram of another virus defense optimization device provided by an embodiment of the present invention;

图5示出了本发明实施例提供的一种计算机设备结构示意图。Figure 5 shows a schematic structural diagram of a computer device provided by an embodiment of the present invention.

具体实施方式Detailed ways

下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例，然而应当理解，可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反，提供这些实施例是为了能够更透彻地理解本公开，并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided to provide a thorough understanding of the disclosure, and to fully convey the scope of the disclosure to those skilled in the art.

本发明实施例提供了一种病毒防御的优化方法，如图1所示，所述方法包括：An embodiment of the present invention provides an optimization method for virus defense, as shown in Figure 1. The method includes:

101、判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配。101. Determine whether the feature information in the target file matches the defense feature information in the preset defense feature database.

本发明实施例中，所述目标文件为待进行防御的病毒木马文件，当当前系统检测到一个未知文件要运行对于程序时，将此未知文件作为目标文件，以判定目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配。其中，所述预置防御特征库中的防御特征信息是根据不同防御场景下对可疑文件预期查杀、和/或修复确定的，所述特征信息为目标文件中执行代码逻辑对应得特征，例如，逻辑参数、配置项、字符串等，本发明实施例不做具体限定。In the embodiment of the present invention, the target file is a virus Trojan horse file to be defended. When the current system detects an unknown file to be run for the program, the unknown file is used as the target file to determine the characteristics of the target file and the Check whether the defense signature information in the preset defense signature database matches. Wherein, the defense feature information in the preset defense feature library is determined based on the expected killing and/or repair of suspicious files in different defense scenarios, and the feature information is the feature corresponding to the execution code logic in the target file, for example , logical parameters, configuration items, strings, etc. are not specifically limited in the embodiment of the present invention.

需要说明得是，本发明实施例中的防御场景包括全部网络中待进行安全防护的场景，如系统防护、文件防护等，对于不同防护场景，预先设定对可能产生网络安全隐患的特征信息作为防御特征信息，例如，在文件防护场景下，将预期进行查杀的文件1中的特征信息确定为防护特征信息，以便在对目标文件进行防护时，利用预置防护特征库中的防御特征信息进行匹配。It should be noted that the defense scenarios in the embodiments of the present invention include scenarios to be protected in all networks, such as system protection, file protection, etc. For different protection scenarios, characteristic information that may cause network security risks is preset as Defense feature information, for example, in a file protection scenario, determine the feature information in file 1 that is expected to be scanned and killed as the protection feature information, so that when protecting the target file, the defense feature information in the preset protection feature library can be used Make a match.

102、若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。102. If the characteristic information matches the defense characteristic information, call the defense operation bound to the defense characteristic information and execute the defense operation.

本发明实施例中，当特征信息与防御特征信息匹配时，说明目标文件存在作为病毒进行攻击的可能性，为了提高对病毒防御效率，调取与防御特征信息绑定的防御操作，利用防御操作对目标文件进行防御，以便确定出是否为目标文件是安全的，还是恶意的。其中，所述绑定的防御操作为预先对可疑文件中特征信息进行查杀或修复的操作代码，通过绑定关系，对匹配防御特征信息的特征信息进行查杀或修复，从而完成目标文件的查杀或修复，具体的，对于与防御特征信息匹配的全部目标对象，如文件、系统配置、软件等都可以进行修复、查杀。In the embodiment of the present invention, when the characteristic information matches the defense characteristic information, it means that the target file has the possibility of being attacked as a virus. In order to improve the efficiency of virus defense, the defense operation bound to the defense characteristic information is retrieved, and the defense operation is used Defend target files to determine whether they are safe or malicious. Among them, the bound defense operation is an operation code that pre-checks or repairs the feature information in the suspicious file. Through the binding relationship, the feature information matching the defense feature information is checked or repaired, thereby completing the target file. Scanning, killing or repairing. Specifically, all target objects that match the defense characteristic information, such as files, system configurations, software, etc., can be repaired and scanned.

本发明提供了一种病毒防御的优化方法，与现有对计算机病毒的防御仅仅通过将病毒特征存储至病毒库后，编写具有针对性的查杀工具相比，本发明实施例通过判定目标文件中的特征信息与预期查杀、和/或修复的可疑文件中特征信息确定的防御特征信息是否匹配，若匹配，则调取绑定的防御操作进行防御，实现预先对快速变化的病毒进行防御的目的，满足新型病毒产生时，预先查杀或修复的目的，减少系统防御的失效可能性，降低技术人员的操作要求及防御成本，从而提高计算机病毒的防御效率。The present invention provides an optimization method for virus defense. Compared with the existing defense against computer viruses which only consists of storing virus characteristics in a virus database and writing targeted killing tools, the embodiment of the present invention determines the target file by Whether the characteristic information in the suspicious file matches the defense characteristic information determined by the characteristic information in the suspicious file that is expected to be killed and/or repaired. If it matches, the bound defense operation will be called for defense to achieve advance defense against rapidly changing viruses. The purpose is to meet the purpose of pre-checking or repairing new viruses when they are generated, reducing the possibility of system defense failure, reducing the operating requirements and defense costs of technical personnel, thereby improving the defense efficiency of computer viruses.

本发明实施例提供了另一种病毒防御的优化方法，如图2所示，所述方法包括：An embodiment of the present invention provides another optimization method for virus defense, as shown in Figure 2. The method includes:

201、按照预设时间间隔加载不同防御场景下的可疑文件。201. Load suspicious files in different defense scenarios according to preset time intervals.

对于本发明实施例中，为了使病毒防御具有前沿性，对未知文件也可以做到快速查杀或修复，按照预设时间间隔加载不同防御场景下的可疑文件。其中，所述预设时间间隔可以为1天、1周，所述不同防御场景为包括全部网络中待进行安全防护的场景，如系统防护、文件防护等，对于不同防护场景，预先设定对可能产生网络安全隐患的特征信息作为防御特征信息，本发明实施例不做具体限定。对于可疑文件，本发明实施例中，通过记录的文件防御方式确定文件的安全性，若进行防护过的、且安全的文件直接确定为安全的，剩余的文件全部确定为可疑文件，因此，在进行加载时，可以直接加载不同防御场景下的可疑文件，本发明实施例不做具体限定。In the embodiment of the present invention, in order to make virus defense more cutting-edge, unknown files can also be quickly checked or repaired, and suspicious files in different defense scenarios can be loaded according to preset time intervals. Among them, the preset time interval can be 1 day or 1 week, and the different defense scenarios include scenarios to be protected for security in all networks, such as system protection, file protection, etc. For different protection scenarios, preset Characteristic information that may cause network security risks is used as defense characteristic information, and is not specifically limited in the embodiment of the present invention. For suspicious files, in the embodiment of the present invention, the security of the files is determined through the recorded file defense method. If the protected and safe files are directly determined as safe, the remaining files are all determined as suspicious files. Therefore, in When loading, suspicious files in different defense scenarios can be directly loaded, which are not specifically limited in the embodiment of the present invention.

202、解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件。202. Analyze whether the expected action performed by the suspicious file triggers a killing event and/or a repair event.

对于本发明实施例，为了实现系统自动确定可疑文件中特征信息是否为需要进行查杀或修复的依据，通过解析可疑文件所执行的预期动作是否触发查杀事件或修复事件，从而确定可疑文件中的特征信息是否确定为防御特征信息。For the embodiment of the present invention, in order for the system to automatically determine whether the characteristic information in the suspicious file is the basis for killing or repairing, it is determined whether the expected action performed by the suspicious file triggers a killing event or a repairing event, thereby determining whether the characteristic information in the suspicious file needs to be checked or repaired. Whether the characteristic information is determined to be defense characteristic information.

对于本发明实施例，为了进一步限定及解释，步骤202可以为：复制所述可疑文件所执行的预期动作对应的全部文件；在预置执行环境中执行所述可疑文件及所述全部文件，判断执行操作中是否存在攻击操作，以确定是否触发查杀事件、和/或修复事件。For the embodiment of the present invention, in order to further define and explain, step 202 may be: copy all files corresponding to the expected actions performed by the suspicious file; execute the suspicious file and all the files in a preset execution environment, and determine Check whether there is an attack operation in the execution operation to determine whether to trigger a killing event and/or a repair event.

通过将可疑文件所执行的预期动作的全部文件复制到一个虚拟防御场景下，如虚拟机中，在此虚拟防御场景下执行可疑文件以及相关的全部文件，以此来预期仿真可疑文件是否为病毒。进一步地判定执行操作中是否存在攻击操作，例如破坏了上述全部文件中的部分文件等，或者监控上述全部文件中的限制类内容等，以确定出是否触发查杀事件或修复事件，本发明实施例不做具体限定。By copying all the files of the expected actions performed by the suspicious file to a virtual defense scenario, such as a virtual machine, and executing the suspicious file and all related files in this virtual defense scenario, it is expected to simulate whether the suspicious file is a virus. . Further determine whether there is an attack operation in the execution operation, such as destroying some of the above-mentioned files, etc., or monitoring the restricted content in all the above-mentioned files, etc., to determine whether a killing event or a repair event is triggered. The present invention implements The examples are not specifically limited.

203、若触发查杀事件、和/或修复事件，则将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中。203. If a killing event and/or a repair event is triggered, determine the feature information in the suspicious file as defense feature information and update it to the preset defense feature database.

当触发了查杀事件、和/或修复事件，则将可疑文件中的特征信息确定为防御特征信息，更新至预置防御特征库中，以便在根据预置防御特征库中的防御特征信息判定目标文件中的特征信息是否为病毒特征，从而判定是否进行防御。When a killing event and/or repair event is triggered, the feature information in the suspicious file is determined as defense feature information and updated to the preset defense feature database so that the judgment can be made based on the defense feature information in the preset defense feature database. Check whether the characteristic information in the target file is a virus signature to determine whether to perform defense.

204、从查杀代码库、和/或修复代码库中查找与所述防御特征信息匹配的查杀代码、和/或修复代码，并进行绑定。204. Search the killing code library and/or the repair code library for the killing code and/or the repair code that match the defense feature information, and bind them.

本发明实施例，为了对属于需要进行查杀、和/或修复的目标文件进行查杀和修复，在确定防御特征信息之后，从查杀代码库、修复代码库中查找与防御特征信息匹配的查杀代码、和/或修复代码，并于此防御特征信息进行绑定，以便在确定目标文件中的特征信息与防御特征信息匹配时，利用绑定关系调取防御操作。其中，所述查杀代码库、和/或修复代码库中更新有对不同计算机病毒预期进行查杀的代码、和/或修复的代码。In the embodiment of the present invention, in order to inspect and repair target files that need to be inspected, killed and/or repaired, after determining the defense feature information, search for files matching the defense feature information from the inspection code library and the repair code library. The killing code and/or the repair code are bound to this defense feature information, so that when it is determined that the feature information in the target file matches the defense feature information, the binding relationship is used to invoke the defense operation. Wherein, the killing code library and/or the repairing code library are updated with codes that are expected to detect and kill different computer viruses and/or repair codes.

205、判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配。205. Determine whether the feature information in the target file matches the defense feature information in the preset defense feature database.

本步骤与图1所示的步骤101方法相同，在此不再赘述。This step is the same as step 101 shown in Figure 1 and will not be described again.

对于本发明实施例，由于当前的病毒防御可以部署于终端、云端等进行操作，因此，为了使防御目标适应于病毒的快速更新，步骤205之前还可以包括：检测所述预置防御特征库的版本信息是否匹配更新的版本信息；若匹配，则执行判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配的步骤；若不匹配，则更新所述预置防御特征库。For the embodiment of the present invention, since the current virus defense can be deployed on terminals, clouds, etc., in order to adapt the defense target to the rapid update of viruses, step 205 may also include: detecting the preset defense signature database Whether the version information matches the updated version information; if it matches, perform the step of determining whether the feature information in the target file matches the defense feature information in the preset defense feature database; if not, update the preset defense feature database .

其中，预置特征库可以按照特定的时间进行版本升级，以适应于最新的病毒变化，因此，检测预置防御特征库的版本信息是否匹配更新的版本信息，例如，更新的版本为2.3版本，若当前预置特征库的版本信息为2.2，则不匹配，更新当前预置防御特征库，若当前预置特征库的版本信息为2.3，则匹配，利用当前预置防御特征库进行判定。Among them, the preset signature database can be upgraded according to a specific time to adapt to the latest virus changes. Therefore, it is detected whether the version information of the preset defense signature database matches the updated version information. For example, the updated version is version 2.3. If the version information of the current preset signature database is 2.2, it does not match. Update the current preset defense signature database. If the version information of the current preset signature database is 2.3, it matches. Use the current preset defense signature database to make the determination.

206a、若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。206a. If the characteristic information matches the defense characteristic information, call the defense operation bound to the defense characteristic information and execute the defense operation.

本步骤与图1所示的步骤102方法相同，在此不再赘述。This step is the same as step 102 shown in Figure 1 and will not be described again.

对于本发明实施例，与步骤206a并列的步骤206b、若所述特征信息与防御特征信息不匹配，则放行所述目标文件。For this embodiment of the present invention, in step 206b, which is parallel to step 206a, if the feature information does not match the defense feature information, the target file is released.

本发明实施例，若不匹配，则说明目标文件为安全的，不需要进行防御，因此进行放行。In the embodiment of the present invention, if there is no match, it means that the target file is safe and does not need to be defended, so it is released.

对于本发明实施例，为了统计属于可疑病毒的文件，还可以包括：输出执行所述防御操作的目标文件。For the embodiment of the present invention, in order to count files belonging to suspicious viruses, it may also include: outputting the target file for performing the defense operation.

具体的，可以按照特定时间进行输出，也可以按照请求进行输出，输出的方式可以为数据流形式，也可以为总计表形式，本发明实施例不做具体限定。Specifically, the output can be performed according to a specific time or according to a request. The output method can be in the form of a data stream or in the form of a total table, which is not specifically limited in the embodiment of the present invention.

本发明提供了另一种病毒防御的优化方法，本发明实施例通过判定目标文件中的特征信息与预期查杀、和/或修复的可疑文件中特征信息确定的防御特征信息是否匹配，若匹配，则调取绑定的防御操作进行防御，实现预先对快速变化的病毒进行防御的目的，满足新型病毒产生时，预先查杀或修复的目的，减少系统防御的失效可能性，降低技术人员的操作要求及防御成本，从而提高计算机病毒的防御效率。The present invention provides another optimization method for virus defense. The embodiment of the present invention determines whether the characteristic information in the target file matches the defense characteristic information determined by the characteristic information in the suspicious file expected to be killed and/or repaired. If it matches, , the bound defense operations are called for defense, achieving the purpose of preventing rapidly changing viruses in advance, meeting the purpose of pre-killing or repairing new viruses when they are generated, reducing the possibility of system defense failure, and reducing the workload of technical personnel. Operational requirements and defense costs, thereby improving computer virus defense efficiency.

进一步的，作为对上述图1所示方法的实现，本发明实施例提供了一种病毒防御的优化装置，如图3所示，该装置包括：判定模块31、调取模块32。Further, as an implementation of the method shown in FIG. 1 , an embodiment of the present invention provides a virus defense optimization device. As shown in FIG. 3 , the device includes: a determination module 31 and a retrieval module 32 .

判定模块31，用于判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配，所述预置防御特征库中的防御特征信息是根据不同防御场景下对可疑文件预期查杀、和/或修复确定的；The determination module 31 is used to determine whether the feature information in the target file matches the defense feature information in the preset defense feature database. The defense feature information in the preset defense feature database is based on the expected search of suspicious files in different defense scenarios. Kill and/or repair determined;

调取模块32，用于若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。The retrieval module 32 is configured to retrieve a defense operation bound to the defense feature information and execute the defense operation if the feature information matches the defense feature information.

本发明提供了一种病毒防御的优化装置，与现有对计算机病毒的防御仅仅通过将病毒特征存储至病毒库后，编写具有针对性的查杀工具相比，本发明实施例通过判定目标文件中的特征信息与预期查杀、和/或修复的可疑文件中特征信息确定的防御特征信息是否匹配，若匹配，则调取绑定的防御操作进行防御，实现预先对快速变化的病毒进行防御的目的，满足新型病毒产生时，预先查杀或修复的目的，减少系统防御的失效可能性，降低技术人员的操作要求及防御成本，从而提高计算机病毒的防御效率。The present invention provides an optimization device for virus defense. Compared with the existing defense against computer viruses that only stores virus characteristics in a virus database and then writes targeted killing tools, the embodiment of the present invention determines the target file by Whether the characteristic information in the suspicious file matches the defense characteristic information determined by the characteristic information in the suspicious file that is expected to be killed and/or repaired. If it matches, the bound defense operation will be called for defense to achieve advance defense against rapidly changing viruses. The purpose is to meet the purpose of pre-checking or repairing new viruses when they are generated, reducing the possibility of system defense failure, reducing the operating requirements and defense costs of technical personnel, thereby improving the defense efficiency of computer viruses.

进一步的，作为对上述图2所示方法的实现，本发明实施例提供了另一种病毒防御的优化装置，如图4所示，该装置包括：判定模块41、调取模块42、加载模块43、解析模块44、确定模块45、绑定模块46、放行模块47、检测模块48、执行模块49、更新模块410、输出模块411。Further, as an implementation of the method shown in Figure 2, the embodiment of the present invention provides another virus defense optimization device, as shown in Figure 4, the device includes: a determination module 41, a retrieval module 42, and a loading module. 43. Analysis module 44, determination module 45, binding module 46, release module 47, detection module 48, execution module 49, update module 410, and output module 411.

判定模块41，用于判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配，所述预置防御特征库中的防御特征信息是根据不同防御场景下对可疑文件预期查杀、和/或修复确定的；The determination module 41 is used to determine whether the feature information in the target file matches the defense feature information in the preset defense feature database. The defense feature information in the preset defense feature database is based on the expected search of suspicious files in different defense scenarios. Kill and/or repair determined;

调取模块42，用于若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作。The retrieval module 42 is configured to retrieve a defense operation bound to the defense feature information and execute the defense operation if the feature information matches the defense feature information.

进一步地，所述装置还包括：Further, the device also includes:

加载模块43，用于按照预设时间间隔加载不同防御场景下的可疑文件；The loading module 43 is used to load suspicious files in different defense scenarios according to preset time intervals;

解析模块44，用于解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件；The analysis module 44 is used to analyze whether the expected action performed by the suspicious file triggers a killing event and/or a repair event;

确定模块45，用于若触发查杀事件、和/或修复事件，则将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中。The determination module 45 is configured to determine the feature information in the suspicious file as defense feature information if a killing event and/or a repair event is triggered, and update it to the preset defense feature database.

进一步地，所述解析模块44包括：Further, the parsing module 44 includes:

复制单元4401，用于复制所述可疑文件所执行的预期动作对应的全部文件；Copy unit 4401, used to copy all files corresponding to the expected actions performed by the suspicious files;

判定单元4402，用于在预置执行环境中执行所述可疑文件及所述全部文件，判断执行操作中是否存在攻击操作，以确定是否触发查杀事件、和/或修复事件。The determination unit 4402 is configured to execute the suspicious file and all the files in the preset execution environment, determine whether there is an attack operation in the execution operation, and determine whether to trigger a killing event and/or a repair event.

进一步地，所述装置还包括：Further, the device also includes:

绑定模块46，用于从查杀代码库、和/或修复代码库中查找与所述防御特征信息匹配的查杀代码、和/或修复代码，并进行绑定，所述查杀代码库、和/或修复代码库中更新有对不同计算机病毒预期进行查杀的代码、和/或修复的代码。The binding module 46 is used to search for the killing code and/or repair code that match the defense feature information from the killing code library and/or the repair code library, and bind the killing code library. , and/or repair the code library to update the code that is expected to detect and kill different computer viruses, and/or repair the code.

进一步地，所述装置还包括：Further, the device also includes:

放行模块47，用于若所述特征信息与防御特征信息不匹配，则放行所述目标文件。The release module 47 is used to release the target file if the feature information does not match the defense feature information.

进一步地，所述装置还包括：Further, the device also includes:

检测模块48，用于检测所述预置防御特征库的版本信息是否匹配更新的版本信息；The detection module 48 is used to detect whether the version information of the preset defense signature database matches the updated version information;

执行模块49，用于若匹配，则执行判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配的步骤；Execution module 49 is used to execute the step of judging whether the feature information in the target file matches the defense feature information in the preset defense feature library if there is a match;

更新模块410，用于若不匹配，则更新所述预置防御特征库。The update module 410 is used to update the preset defense feature database if there is no match.

进一步地，所述装置还包括：Further, the device also includes:

输出模块411，用于输出执行所述防御操作的目标文件。The output module 411 is used to output the target file for performing the defense operation.

本发明提供了另一种病毒防御的优化装置，本发明实施例通过判定目标文件中的特征信息与预期查杀、和/或修复的可疑文件中特征信息确定的防御特征信息是否匹配，若匹配，则调取绑定的防御操作进行防御，实现预先对快速变化的病毒进行防御的目的，满足新型病毒产生时，预先查杀或修复的目的，减少系统防御的失效可能性，降低技术人员的操作要求及防御成本，从而提高计算机病毒的防御效率。The present invention provides another optimization device for virus defense. The embodiment of the present invention determines whether the characteristic information in the target file matches the defense characteristic information determined by the characteristic information in the suspicious file expected to be killed and/or repaired. If it matches, , the bound defense operations are called for defense, achieving the purpose of preventing rapidly changing viruses in advance, meeting the purpose of pre-killing or repairing new viruses when they are generated, reducing the possibility of system defense failure, and reducing the workload of technical personnel. Operational requirements and defense costs, thereby improving computer virus defense efficiency.

根据本发明一个实施例提供了一种存储介质，所述存储介质存储有至少一可执行指令，该计算机可执行指令可执行上述任意方法实施例中的病毒防御的优化方法。According to an embodiment of the present invention, a storage medium is provided. The storage medium stores at least one executable instruction. The computer executable instruction can execute the optimization method of virus defense in any of the above method embodiments.

图5示出了根据本发明一个实施例提供的一种计算机设备的结构示意图，本发明具体实施例并不对计算机设备的具体实现做限定。Figure 5 shows a schematic structural diagram of a computer device according to an embodiment of the present invention. The specific embodiment of the present invention does not limit the specific implementation of the computer device.

如图5所示，该计算机设备可以包括：处理器(processor)502、通信接口(Communications Interface)504、存储器(memory)506、以及通信总线508。As shown in Figure 5, the computer device may include: a processor (processor) 502, a communications interface (Communications Interface) 504, a memory (memory) 506, and a communication bus 508.

其中：处理器502、通信接口504、以及存储器506通过通信总线508完成相互间的通信。Among them: the processor 502, the communication interface 504, and the memory 506 complete communication with each other through the communication bus 508.

通信接口504，用于与其它设备比如客户端或其它服务器等的网元通信。The communication interface 504 is used to communicate with network elements of other devices such as clients or other servers.

处理器502，用于执行程序510，具体可以执行上述病毒防御的优化方法实施例中的相关步骤。The processor 502 is configured to execute the program 510. Specifically, it can execute relevant steps in the above embodiment of the optimization method for virus defense.

具体地，程序510可以包括程序代码，该程序代码包括计算机操作指令。Specifically, program 510 may include program code including computer operating instructions.

处理器502可能是中央处理器CPU，或者是特定集成电路ASIC(ApplicationSpecific Integrated Circuit)，或者是被配置成实施本发明实施例的一个或多个集成电路。计算机设备包括的一个或多个处理器，可以是同一类型的处理器，如一个或多个CPU；也可以是不同类型的处理器，如一个或多个CPU以及一个或多个ASIC。The processor 502 may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the computer device may be the same type of processor, such as one or more CPUs; or they may be different types of processors, such as one or more CPUs and one or more ASICs.

存储器506，用于存放程序510。存储器506可能包含高速RAM存储器，也可能还包括非易失性存储器(non-volatile memory)，例如至少一个磁盘存储器。Memory 506 is used to store programs 510. The memory 506 may include high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.

程序510具体可以用于使得处理器502执行以下操作：Program 510 may be specifically used to cause processor 502 to perform the following operations:

在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述，构造这类系统所要求的结构是显而易见的。此外，本发明也不针对任何特定编程语言。应当明白，可以利用各种编程语言实现在此描述的本发明的内容，并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays provided herein are not inherently associated with any particular computer, virtual system, or other device. Various general-purpose systems can also be used with teaching based on this. From the above description, the structure required to construct such a system is obvious. Furthermore, this invention is not specific to any specific programming language. It should be understood that a variety of programming languages may be utilized to implement the invention described herein, and that the above descriptions of specific languages are intended to disclose the best mode of carrying out the invention.

在此处所提供的说明书中，说明了大量具体细节。然而，能够理解，本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中，并未详细示出公知的方法、结构和技术，以便不模糊对本说明书的理解。In the instructions provided here, a number of specific details are described. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this description.

类似地，应当理解，为了精简本公开并帮助理解各个发明方面中的一个或多个，在上面对本发明的示例性实施例的描述中，本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而，并不应将该公开的方法解释成反映如下意图：即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说，如下面的权利要求书所反映的那样，发明方面在于少于前面公开的单个实施例的所有特征。因此，遵循具体实施方式的权利要求书由此明确地并入该具体实施方式，其中每个权利要求本身都作为本发明的单独实施例。Similarly, it is to be understood that in the above description of exemplary embodiments of the invention, in order to streamline the disclosure and aid in the understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together into a single embodiment. figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

本领域那些技术人员可以理解，可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件，以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外，可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述，本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art will understand that modules in the devices in the embodiment can be adaptively changed and arranged in one or more devices different from that in the embodiment. The modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method so disclosed may be employed in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of the equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

此外，本领域的技术人员能够理解，尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征，但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如，在下面的权利要求书中，所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include certain features included in other embodiments but not others, combinations of features of different embodiments are meant to be within the scope of the invention. within and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

本发明的各个部件实施例可以以硬件实现，或者以在一个或者多个处理器上运行的软件模块实现，或者以它们的组合实现。本领域的技术人员应当理解，可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的资产数据的管理方法及装置中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如，计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上，或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到，或者在载体信号上提供，或者以任何其他形式提供。Various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the asset data management method and device according to embodiments of the present invention. . The invention may also be implemented as an apparatus or apparatus program (eg, computer program and computer program product) for performing part or all of the methods described herein. Such a program implementing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, or provided on a carrier signal, or in any other form.

应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制，并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中，不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中，这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the element claim enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, third, etc. does not indicate any order. These words can be interpreted as names.

Claims

Translated fromChinese

1.一种病毒防御的优化方法，其特征在于，包括：1. An optimization method for virus defense, characterized by including:

若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作；If the characteristic information matches the defense characteristic information, call the defense operation bound to the defense characteristic information and execute the defense operation;

其中，所述判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配之前，所述方法还包括：Before determining whether the feature information in the target file matches the defense feature information in the preset defense feature library, the method further includes:

2.根据权利要求1所述的方法，其特征在于，所述解析所述可疑文件所执行的预期动作是否触发查杀事件、和/或修复事件包括：2. The method according to claim 1, characterized in that whether the expected action performed by parsing the suspicious file triggers a killing event and/or a repair event includes:

3.根据权利要求1所述的方法，其特征在于，所述将所述可疑文件中的特征信息确定为防御特征信息，更新至所述预置防御特征库中之后，所述方法还包括：3. The method according to claim 1, characterized in that after determining the characteristic information in the suspicious file as defense characteristic information and updating it to the preset defense characteristic database, the method further includes:

4.根据权利要求1所述的方法，其特征在于，所述方法还包括：4. The method according to claim 1, characterized in that, the method further comprises:

5.根据权利要求1-4任一项所述的方法，其特征在于，所述判断目标文件中的特征信息与预置防御特征库中的防御特征信息是否匹配之前，所述方法还包括：5. The method according to any one of claims 1 to 4, characterized in that before determining whether the feature information in the target file matches the defense feature information in the preset defense feature library, the method further includes:

6.根据权利要求5所述的方法，其特征在于，所述方法还包括：6. The method according to claim 5, characterized in that, the method further comprises:

7.一种病毒防御的优化装置，其特征在于，包括：7. An optimization device for virus defense, characterized by including:

调取模块，用于若所述特征信息与所述防御特征信息匹配，则调取与所述防御特征信息绑定的防御操作，执行所述防御操作；A retrieval module, configured to retrieve a defense operation bound to the defense feature information and execute the defense operation if the feature information matches the defense feature information;

所述装置还包括：The device also includes:

8.一种存储介质，所述存储介质中存储有至少一可执行指令，所述可执行指令使处理器执行如权利要求1-6中任一项所述的病毒防御的优化方法对应的操作。8. A storage medium, at least one executable instruction is stored in the storage medium, and the executable instruction causes the processor to perform operations corresponding to the optimization method for virus defense according to any one of claims 1-6. .

9.一种计算机设备，包括：处理器、存储器、通信接口和通信总线，所述处理器、所述存储器和所述通信接口通过所述通信总线完成相互间的通信；9. A computer device, including: a processor, a memory, a communication interface and a communication bus, the processor, the memory and the communication interface completing mutual communication through the communication bus;

所述存储器用于存放至少一可执行指令，所述可执行指令使所述处理器执行如权利要求1-6中任一项所述的病毒防御的优化方法对应的操作。The memory is used to store at least one executable instruction, and the executable instruction causes the processor to perform operations corresponding to the optimization method for virus defense according to any one of claims 1-6.