When stream-based virus detection is performed on a portable execute (PE) file, only several data packets carrying a PE file header need to be reassembled, and matching a characteristic extracted from the PE file header with a characteristic that is of a known virus and that is prestored in an antivirus database is performed, where it is unnecessary to reassemble the entire file. Therefore, compared with a manner of characteristic-based virus detection for an entire file, performance of the stream-based virus detection thereof is higher.
Structure information in the PE file header describes various attribute information of the PE file in detail, such as information like a quantity of sections of the file, a data length of each section, a program start instruction address, and a platform required for running a program. A virus detecting method for performing detection on a PE file is extracting identification information from structure information of a PE file header, where the identification information may include combination of several pieces of information selected from the foregoing various attribute information, and comparing the identification information with a prestored virus characteristic, so as to detect whether the PE file carries a virus. Because PE file viruses account for more than 95% of all viruses, and if spreading of the PE file viruses can be effectively controlled on a network, security status of the network can be greatly improved.
An installation package file and a self-extracting file belong to PE files including additional data, and are also called Archive files. This kind of file includes two parts, where a first part is a complete PE file, and a second part is a data part. A large number of Archive files are merely different in a data part, and are completely the same in a PE file part. If the identification information is extracted from the structure information in the PE file header according to the existing method, and is used as a criterion to detect a virus file, all Archive-type files corresponding to the virus file are incorrectly detected as viruses.
At present, a common practice for solving the foregoing problem is skipping virus detection for an Archive file. However, a virus file can be easily processed into an Archive file, and if a virus spreader uses this characteristic to prepare a file including a virus into the Archive file, the existing stream-based virus detecting method for a PE file cannot determine whether an Archive file is a virus file carrying a virus.