Nowadays, with the increasing growth of malicious programs, the traditional way of killing a virus in which the killing is done based on a feature code and a virus library is updated regularly already can not deal with such a situation, which promotes the rise of a cloud security technology in which a large number of clients track, and kill malicious programs.
Most of the cloud security technologies in the prior art employ a way of combining a local engine of a client and a cloud security server side, and in particular kill a malicious program by the following way:
the local engine of the client scanning according to a scanning position where it is embedded, and sending features of an unknown program file that can not be identified locally to the cloud security server, the cloud security server comparing the received features of the program file and judging whether it is a malicious program, and if it is a malicious program, the local engine of the client performing corresponding processing on the malicious program according to its preset malicious program processing method.
However, when an author of a malicious program antagonizes security software, in order to evade the detection of security protection software, the malicious software will find out a new available point in an operating system or find out a point that is disregarded by the security software, thereby bypass the detection and killing of the security software. Thus, it is necessary for a security manufacturer to analyze samples of new malicious programs so as to update security software of the client. However, in the procedure of upgrading the security software, the malicious program has already been widely spread. It is thus clear that the methods of the prior art can not timely detect and kill a malicious program.