An application installation package is usually a compressed file, and the compressed file usually may include a resource file, a configuration file, an executable file, etc.
In the prior art, in order to check whether an application installation package is rogue software or a virus, the application installation package needs to be decompressed to acquire a complete executable file. Then, decompilation analysis is performed on the complete executable file in the internal memory to extract feature information. Then, the extracted feature information is compared to feature information contained in the virus samples in a pre-set virus feature library, thus checking whether the application installation package is rogue software or a virus-infected file.
There are at least the following problems in the prior art: in the prior art, when virus checking of an application installation package is required, the application installation package needs to be decompressed first to acquire a complete executable file, then decompilation analysis is performed on the acquired complete executable file in the internal memory to extract feature information. When the executable file is relatively large, storing the complete executable file in the internal memory will occupy much memory, and the process of extracting feature information is relatively time-consuming. Therefore, the virus checking efficiency of the prior art solution for checking whether an application installation package is a virus or rogue software is relatively low.