Virus detection and processing method for network transmission data

Abstract

The invention discloses a virus detection and processing method for network transmission data. It uses zero-copy memory and uses virtual memory to map the data packets of the transferred files from the kernel layer to the user layer; it analyzes the application layer protocol, restores the transferred files and sends them to the virus detection engine for detection, so that the antivirus wall system and the kernel are coupled It is small and stable; it abandons the traditional proxy connection technology, adopts a unique packet deduction mechanism, and without changing any characteristics of the original connection, through the double detection of the stream engine and the file engine, it ensures timely detection of virus-infected files. and accurate blocking.

Description

technical field [0001] The invention relates to the technical field of data virus detection and processing, in particular to a method for network transmission data virus detection and processing. Background technique [0002] Generally, existing virus processing technologies for processing computer viruses include two types: proxy firewall technology and anti-virus engine technology. [0003] Proxy firewall technology: [0004] Different from the packet filtering firewall, which only performs data flow feature matching and filtering, the proxy firewall replaces the direct communication between the client and the server through a proxy connection, and performs protocol analysis and file restoration at the application layer for more in-depth security analysis and processing; [0005] Anti-virus engine technology: [0006] The anti-virus engine usually refers to the method of scanning and killing viruses running on the operating system (such as the Windows operating system). ...

AI Technical Summary

Problems solved by technology

[0013] 1) The transparent proxy antivirus wall system replaces the original connection with a pair of connections (takeover connection and proxy connection). In a high-throughput environment (such as a Gigabit or 10 Gigabit backbone network), the scalability is poor, and it usually cannot meet the performance requirements;

[0014] 2) Although the proxy connection of the transparent proxy keeps the IP address and TCP port of the original connection, it is still different in finer connection characteristics (such as TCP sequence number);

[0015] 3) The transparent proxy technology is usually based on the netfilter mechanism of the Linux kernel (a Linux 2.4 kernel firewall technology proposed by Rusty Russell), which uses an address translation technology similar to NAT and is highly coupled with the kernel. The implementation is complex, the error rate is high, and potential errors are unknown Many, it is difficult to upgrade synchronously when the kernel version is upgraded

However, at present, most backbone networks have introduced redundancy mechanisms. If the two-way data packets of the TCP connection flow through different links, the antivirus wall cannot work normally, and even normal network communication will be affected;

Images