WO2024075868A1

WO2024075868A1 - Method for notifying of inflow of malicious files when moving files in network separation environment, and device therefor

Info

Publication number: WO2024075868A1
Application number: PCT/KR2022/015022
Authority: WO
Inventors: 조성욱
Original assignee: 시큐레터 주식회사
Priority date: 2022-10-06
Filing date: 2022-10-06
Publication date: 2024-04-11
Also published as: KR102503699B1

Abstract

The present specification relates to a method by which a server handles the inflow of malicious files in a network separation environment, the method comprising: receiving a target file from an inter-network data transmission system; inspecting malicious code of the target file; modifying the target file according to reading results of the target file on the basis that the malicious code is included in the target file; and transmitting the modified target file to the inter-network data transmission system, wherein the reading results can indicate the possibility or impossibility of sanitization of the target file.

Description

Method and device for notifying the inflow of malicious files when moving files in a network separation environment

This specification relates to a method and device for notifying that a malicious file has been introduced to a user server when a file is moved from an external network to an internal network in a separated network environment.

Advanced Persistent Threat (APT) attacks involve attackers selecting specific targets and applying advanced attack techniques to continuously utilize various types of malicious code to steal targeted information. In particular, APT attacks are often not detected in the initial intrusion stage, and non-portable executable (Non-PE) files containing malicious code are often used rather than executable (portable executable, PE) files.

A non-executable file is the opposite of an executable file and refers to a file that does not run on its own. Examples of non-executable files include document files such as Word files, Excel files, Hangul files, and PDF files, image files, video files, JavaScript files, and HTML files. The reason why non-executable files containing malicious code are often used in APT attacks is because applications that run non-executable files have a certain degree of security vulnerability. In addition, if malicious code is included in a non-executable file, variant malicious code can be easily created by changing the file.

A document action is the act of executing an action in an application program involving a non-executable file. Since existing APT solutions operate based on document behavior, they determine whether it is malicious by observing changes in the sandbox (Virtural Machine, VM) after document behavior occurs. This takes a long time to analyze because it waits for all document actions to occur before determining whether they are malicious. Additionally, existing APT solutions such as CDR can remove malicious active content, but cannot eliminate vulnerabilities arising from essential elements of the document (e.g., body, font), creating a security gap.

The purpose of network separation is to prevent external intrusion and leakage of internal information by separating the internal network and external network. In a network separation environment, the inter-network data transmission system can move files from an external server to an internal server through network linkage. After checking the target file for malicious code (e.g., anti-virus, APT check), if the file is a malicious file, the malicious file is generally not sent to the internal server. However, in this case, users of the internal server cannot access the external server, so they cannot receive notifications about malicious files.

The purpose of this specification is to propose a method and device for clearly notifying the internal server of whether the file is malicious when a file is moved in a network partition environment.

The problems to be solved by the present disclosure are not limited to the problems mentioned above, and other technical problems not mentioned can be clearly understood by those skilled in the art from the description below.

According to an embodiment of the present specification, a method for a server to handle the inflow of malicious files in a network separation environment includes: receiving a target file from an inter-network data transmission system; inspecting the target file for malicious code; Modifying the target file according to a reading result of the target file, based on whether the target file contains malicious code; and transmitting the modified target file to the network-to-network data transmission system. It includes, and the read result may indicate the possibility or impossibility of rendering the target file harmless.

Additionally, the modifying step includes adding a string indicating that the detoxification has been completed to the file name of the target file; may include.

In addition, the modifying step includes adding a string indicating that the target file contains the malicious code to the file name of the target file, based on the read result indicating the impossibility of rendering the target file harmless; may include.

Additionally, the modifying step may further include modifying the target file as a dummy file.

In addition, the modifying step includes performing a reversing analysis on the target file, detecting at least one of vulnerabilities and contents in the target file, and storing the detection result; Performing detoxification on content in the target file and storing the detoxification result; and generating the readout result based on the detection result and the detoxification result; may further include.

Additionally, according to an embodiment of the present specification, a server that processes the inflow of malicious files in a network separation environment includes: a communication unit; Memory with reversing engine and CDR engine; and a processor that functionally controls the communication unit and the memory; It includes, wherein the processor receives the target file from the inter-network data transmission system through the communication unit, checks the target file for malicious code, and based on whether the target file contains malicious code, According to the file reading result, the target file is modified and the modified target file is transmitted to the network data transmission system, and the reading result may indicate the possibility or impossibility of detoxification of the target file.

According to an embodiment of the present specification, when a file is moved in a network separation environment, the server can clearly inform the internal server about whether the file is malicious.

The effects of the present disclosure are not limited to the effects mentioned above, and other effects not mentioned may be clearly understood by those skilled in the art from the description below to those skilled in the art.

1 is a block diagram showing the configuration of an electronic device related to an embodiment of the present disclosure.

Figure 2 is a block diagram showing the configuration of a device for blocking malicious non-executable files according to an embodiment of the present disclosure.

Figure 3 is a diagram illustrating normal input and abnormal input that can be applied to an embodiment of the present disclosure.

Figure 4 is a diagram illustrating the execution flow of an application when a normal value is input and the execution flow of an application when an abnormal value is input.

Figure 5 is a flowchart illustrating a method for determining document behavior that can be applied to an embodiment of the present disclosure.

Figure 6 is a flowchart illustrating a method for blocking non-executable files that can be applied to an embodiment of the present disclosure.

FIG. 7 is a flowchart specifically illustrating the detection result storage step (S6100) of FIG. 6.

Figure 8 is a diagram showing an example of a detection result by a reversing engine.

Figure 9 is a diagram showing another example of a detection result by a reversing engine.

FIG. 10 is a flow chart specifically illustrating the detoxification result storage step (S6200) of FIG. 6.

Figure 11 is a diagram showing an example of the detoxification result by the CDR engine.

Figure 12 is a diagram showing another example of the detoxification result by the CDR engine.

FIG. 13 is a flowchart specifically illustrating the read result generation step (S6300) of FIG. 6.

Figure 14 is a diagram illustrating a reading result screen displayed through a terminal.

Figure 15 is an example of a network separation system to which this specification can be applied.

Figure 16 is an embodiment of a server to which this specification can be applied.

Figure 17 is an example of target file modification to which this specification can be applied.

The accompanying drawings, which are included as part of the detailed description to aid understanding of the present specification, provide embodiments of the present specification and explain technical features of the present specification together with the detailed description.

The advantages and features of the present disclosure and methods for achieving them will become clear by referring to the embodiments described in detail below along with the accompanying drawings. However, the present disclosure is not limited to the embodiments posted below and may be implemented in various different forms. These embodiments are merely provided to ensure that the present disclosure is complete and to fully inform those skilled in the art of the scope of the invention, and that the present disclosure is defined only by the scope of the claims. .

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used with meanings that can be commonly understood by those skilled in the art to which this disclosure pertains. Additionally, terms defined in commonly used dictionaries are not interpreted ideally or excessively unless clearly specifically defined.

The terminology used herein is for the purpose of describing embodiments and is not intended to limit the disclosure. In this specification, the singular form also includes the plural form unless specifically mentioned in the text. As used in the specification, “comprises” and/or “comprising” does not exclude the presence or addition of one or more other elements in addition to the mentioned elements.

Hereinafter, embodiments disclosed in the present specification will be described in detail with reference to the attached drawings. However, identical or similar components will be assigned the same reference numbers regardless of reference numerals, and duplicate descriptions thereof will be omitted.

The suffixes “module” and “part” for components used in the following description are given or used interchangeably only for the ease of preparing the specification, and do not have distinct meanings or roles in themselves. Additionally, in describing the embodiments disclosed in this specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in this specification, the detailed descriptions will be omitted. In addition, the attached drawings are only for easy understanding of the embodiments disclosed in this specification, and the technical idea disclosed in this specification is not limited by the attached drawings, and all changes included in the spirit and technical scope of this specification are not limited. , should be understood to include equivalents or substitutes.

Terms containing ordinal numbers, such as first, second, etc., may be used to describe various components, but the components are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

When a component is said to be "connected" or "connected" to another component, it is understood that it may be directly connected to or connected to the other component, but that other components may exist in between. It should be. On the other hand, when it is mentioned that a component is “directly connected” or “directly connected” to another component, it should be understood that there are no other components in between.

Singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, terms such as “comprise” or “have” are intended to indicate the presence of features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, but are not intended to indicate the presence of one or more other features. It should be understood that this does not exclude in advance the possibility of the existence or addition of elements, numbers, steps, operations, components, parts, or combinations thereof.

Additionally, the term “unit” used in the specification refers to a software or hardware component, and the “unit” performs certain roles. However, “wealth” is not limited to software or hardware. The “copy” may be configured to reside on an addressable storage medium and may be configured to run on one or more processors. Thus, as an example, “part” refers to software components, such as object-oriented software components, class components, and task components, processes, functions, properties, procedures, Includes subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, and variables. The functionality provided within the components and “parts” may be combined into smaller numbers of components and “parts” or may be further separated into additional components and “parts”.

Additionally, according to an embodiment of the present specification, “unit” may be implemented with a processor and memory. The term “processor” should be interpreted broadly to include general purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, etc. In some contexts, “processor” may refer to an application-specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), etc. The term “processor” refers to a combination of processing devices, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in combination with a DSP core, or any other such combination of configurations. It may also refer to

The term “memory” should be interpreted broadly to include any electronic component capable of storing electronic information. The terms memory include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), electrical may refer to various types of processor-readable media, such as erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, etc. A memory is said to be in electronic communication with a processor if the processor can read information from and/or write information to the memory. The memory integrated into the processor is in electronic communication with the processor.

'Non-executable file' as used herein is the opposite of an executable file or executable file and refers to a file that does not execute on its own. For example, non-executable files may be document files such as PDF files, Hangul files, Word files, image files such as JPG files, video files, JavaScript files, HTML files, etc., but are not limited thereto.

Hereinafter, with reference to the attached drawings, embodiments will be described in detail so that those skilled in the art can easily implement them. In order to clearly explain the present disclosure in the drawings, parts unrelated to the description may be omitted.

도 1은 본 개시의 실시예와 관련된 전자 기기의 구성을 도시한 블록도이다. 1 is a block diagram showing the configuration of an electronic device related to an embodiment of the present disclosure.

The electronic device 100 includes a wireless communication unit 110, an input unit 120, a sensing unit 140, an output unit 150, an interface unit 160, a memory 170, a control unit 180, and a power supply unit 190. ), etc. may be included. The components shown in FIG. 1 are not essential for implementing the electronic device 100, so the electronic device 100 described herein may have more or fewer components than those listed above. there is.

More specifically, among the above components, the wireless communication unit 110 is used between the electronic device 100 and the wireless communication system, between the electronic device 100 and another electronic device 100, or between the electronic device 100 and an external server. It may include one or more modules that enable wireless communication. Additionally, the wireless communication unit 110 may include one or more modules that connect the electronic device 100 to one or more networks.

This wireless communication unit 110 may include at least one of a broadcast reception module 111, a mobile communication module 112, a wireless Internet module 113, a short-range communication module 114, and a location information module 115.

The input unit 120 may include a camera 121 or an image input unit for inputting an image signal, a microphone 122 or an audio input unit for inputting an audio signal, and a user input unit 123 for receiving information from a user. Examples of the user input unit 123 include touch keys and push keys (mechanical keys). Voice data or image data collected by the input unit 120 may be analyzed and processed as a user's control command.

The sensing unit 140 may include one or more sensors for sensing at least one of information within the electronic device 100, information on the surrounding environment surrounding the electronic device 100, and user information. For example, the sensing unit 140 includes a proximity sensor 141, an illumination sensor 142, a touch sensor, an acceleration sensor, and a magnetic sensor. , gravity sensor (G-sensor), gyroscope sensor, motion sensor, RGB sensor, infrared sensor (IR sensor), fingerprint scan sensor, ultrasonic sensor sensor), an optical sensor such as the camera 121, a battery gauge, an environmental sensor (e.g., a barometer, a soil hygrometer, a thermometer, a radiation detection sensor, a heat detection sensor, a gas detection sensor, etc.) , may include at least one of chemical sensors (eg, electronic nose, healthcare sensor, biometric sensor, etc.). Meanwhile, the electronic device 100 disclosed in this specification can utilize information sensed by two or more of the illustrated sensors by combining them.

The output unit 150 is used to generate output related to vision, hearing, or tactile senses. The output unit 150 may include at least one of a display unit 151, an audio output unit 152, a haptip module 153, and an optical output unit 154. The display unit 151 can implement a touch screen by forming a layered structure or being integrated with the touch sensor. This touch screen functions as a user input unit 123 that provides an input interface between the electronic device 100 and the user, and can simultaneously provide an output interface between the electronic device 100 and the user.

The interface unit 160 serves as a passageway for various types of external devices connected to the electronic device 100. This interface unit 160 is provided with a wired/wireless headset port, an external charger port, a wired/wireless data port, a memory card port, and an identification module. It may include at least one of a port for connecting a connected device, an audio input/output port, a video input/output port, and an earphone port. In response to the external device being connected to the interface unit 160, the electronic device 100 may perform appropriate control related to the connected external device.

Additionally, the memory 170 stores data supporting various functions of the electronic device 100. The memory 170 may store a plurality of application programs (application programs or applications) running on the electronic device 100, data for operating the electronic device 100, and commands. At least some of these applications may be downloaded from an external server via wireless communication. In addition, at least some of these applications will be present on the electronic device 100 from the time of shipment for the basic functions of the electronic device 100 (e.g., call incoming call function, call outgoing function, message receiving function, message sending function). You can. Meanwhile, the application program may be stored in the memory 170, installed on the electronic device 100, and driven by the control unit 180 to perform an operation or function of the electronic device.

In addition to operations related to the application program, the control unit 180 typically controls the overall operation of the electronic device 100. The control unit 180 can provide or process appropriate information or functions to the user by processing signals, data, information, etc. input or output through the components discussed above, or by running an application program stored in the memory 170.

Additionally, the control unit 180 may control at least some of the components examined with FIG. 1 in order to run an application program stored in the memory 170. Furthermore, the control unit 180 may operate at least two of the components included in the electronic device 100 in combination with each other in order to run the application program.

The power supply unit 190 receives external power and internal power under the control of the control unit 180 and supplies power to each component included in the electronic device 100. This power supply unit 190 includes a battery, and the battery may be a built-in battery or a replaceable battery.

At least some of the components may cooperate with each other to implement operation, control, or a control method of the electronic device 100 according to various embodiments described below. Additionally, the operation, control, or control method of the electronic device 100 may be implemented on the electronic device 100 by running at least one application program stored in the memory 170.

Meanwhile, in an embodiment of the present disclosure, a server (or cloud server) may include an electronic device 100, and the electronic device 100 may be collectively referred to as a terminal. The terminal can communicate with an external server (or external cloud server) by being connected to a network.

Figure 2 is a block diagram showing the configuration of a device for blocking malicious non-executable files according to an embodiment of the present disclosure. Hereinafter, for convenience of explanation, the malicious non-executable file blocking device will be referred to as 'server'.

Referring to FIG. 2, the server 200 may include a control unit 210, a result reading unit 220, and a communication unit 230. The control unit 210 may include a processor 212 and a memory 214. The processor 212 may execute instructions stored in the memory 214. The processor 212 can control the communication unit 230. Memory 214 may include cache memory. Cache memory can temporarily store original documents, which will be described later, for a certain period of time.

The processor 212 may control the operation of the server 200 based on instructions stored in the memory 220. The server 200 may include one processor or may include multiple processors. When the server 200 includes a plurality of processors, at least some of the plurality of processors may be located physically spaced apart from each other. Additionally, the server 200 is not limited to this and may be implemented in various known ways.

The communication unit 230 may include one or more modules that enable wireless communication between a server and a wireless communication system, between a server and another server, or between a server and an external server (terminal). Additionally, the communication unit 230 may include one or more modules that connect servers to one or more networks.

The control unit 210 may control at least some of the components of the server to run the application program stored in the memory 214. Furthermore, the control unit 210 can operate at least two of the components included in the server in combination with each other to run the application program.

In an embodiment of the present disclosure, the server 200 may include a reversing engine and a CDR engine. Hereinafter, the reversing engine and the CDR engine will be described in detail.

리버싱 엔진(Reversing engine)Reversing engine

The reversing engine is an analysis and diagnosis engine that automates the reverse engineering process for malicious non-executable files. This is called reverse engineering, and through this, the server 200 can learn about the principles and structure of the software by going up to the assembly level, a language that allows a computer to execute software without source code. Using this, the server 200 can know the structure of general software (eg, MS Office, PDF), malicious code behavior, and methods of exploiting vulnerabilities.

For example, the reversing engine may perform a file analysis step, a static analysis step, a dynamic analysis step, and a debugging analysis step. A brief explanation of each step is as follows.

1. File analysis step: This is the step of analyzing the appearance of the non-executable file itself (e.g., properties, author, creation date, file type). Similar to a general anti-virus program, it diagnoses whether it is malicious using only the information of the non-executable file itself. can do.

2. Static analysis step: This is a step to extract and analyze data in non-executable files to determine whether they are normal or malicious. Non-executable files are not executed, but internal data is extracted and compared and analyzed according to the file structure to diagnose maliciousness. You can. This may be suitable for extracting and analyzing macros and extracting and analyzing URLs.

3. Dynamic analysis stage: This is the stage where non-executable files are executed and monitored while their behavior is analyzed to determine whether they are malicious. This is to detect malicious behavior using the normal functions of the document, such as macros, hyperlinks, and DDE (Dynamic Data Exchange). It is easy to

4. Debugging analysis stage: This is the stage of analyzing vulnerabilities, exploits, etc. by executing and debugging non-executable files. It not only detects malicious behavior using normal functions of the document such as macros, hyperlinks, DDE, etc., but also analyzes the body of the document. , it is suitable for detecting vulnerabilities in applications using tables, fonts, pictures, etc.

The reversing engine may include a debugging engine that can be used for debugging analysis. The debugging engine can use the debugging mode during the viewing process of non-executable files to diagnose vulnerabilities that occur in the document input, processing, and output stages. Here, vulnerabilities refer to errors, bugs, etc. that occur when an application receives unexpected values from the code (logic) developed by the application developer. Through the vulnerability, an attacker can execute malicious document actions such as denial of service due to abnormal termination or remote code execution.

The debugging engine may include a debugger. A debugger is a tool for reverse engineering and can refer to a program or process that can set a breakpoint at the assembly level for another target program.

도 3은 본 개시의 실시예에 적용될 수 있는 정상 입력과 비정상 입력을 예시한 도면이다. Figure 3 is a diagram illustrating normal input and abnormal input that can be applied to an embodiment of the present disclosure.

The top of FIG. 3 is a diagram to explain a case where an application program receives a normal value through a non-executable file, and illustrates a case where the value of the Extended Counter Register (ECX) is normal data (00000001). The bottom of FIG. 3 is a diagram to explain a case where an application program receives an abnormal value through a non-executable file, and illustrates a case where the value of the ECX register is abnormal data (000000CC).

도 4는 정상적인 값이 입력된 경우의 응용 프로그램의 실행 흐름과 비정상적인 값이 입력된 경우의 응용 프로그램의 실행 흐름을 예시한 도면이다. Figure 4 is a diagram illustrating the execution flow of an application when a normal value is input and the execution flow of an application when an abnormal value is input.

Referring to Figure 4, when an application receives a normal value (for example, when the input value does not exceed the normal range of 2) through a non-executable file, the execution flow of the application is executed as intended by the developer. It goes with the flow.

On the other hand, if the application receives an abnormal value (for example, when the input value exceeds the normal range of 2) through a non-executable file, the execution flow of the application changes to an execution flow that the developer did not intend. , vulnerabilities can be triggered.

The debugging engine automatically debugs the document viewing process and sets breakpoints at specific points related to vulnerabilities. Additionally, it is possible to diagnose maliciousness by checking specific values (values stored in registers or memory) related to the input value to determine whether the input value is a value that causes a vulnerability.

More specifically, the debugging engine can determine the type of non-executable file and then start debugging by running an application to view the non-executable file. When a module related to document behavior is loaded in the process of viewing a non-executable file, the debugging engine checks whether the loaded module is the module to be analyzed. As a result of the confirmation, if the loaded module is the target of analysis, a breakpoint can be set at the specified address.

For example, a malicious non-executable file may terminate the application if it does not meet certain conditions, such as the application version or operating system environment, or may have branching points that diverge to a flow in which no malicious action occurs. The server 200 may be analyzed by an analyst in advance, and a breakpoint may be set at a branching point having this possibility.

Additionally, the server 200 may set conditions in association with the branch point that may continue to run the application without terminating it or lead to a flow in which malicious actions may occur.

If the process stops at the breakpoint during execution of the application process, the server 200 may detect vulnerabilities according to detection logic and then perform a step of storing the detection results. The stored detection result may be understood as a detection result report.

The automated reversing engine included in the server 200 automatically performs and analyzes the above-mentioned steps, and can diagnose and block malicious non-executable files through a diagnostic algorithm researched and developed by an analyst.

CDR 엔진(Contents Disarm and Reconstruction engine)CDR engine (Contents Disarm and Reconstruction engine)

The CDR engine provides CDR services. The CDR service is a solution that disassembles non-executable files, removes malicious or unnecessary files, and creates new files by keeping the content as identical as possible to the original.

In other words, CDR refers to a service that disarms and reconstructs the content in a document to create a safe document and provide it to customers. Here, the file subject to detoxification may be any non-executable file. Examples of non-executable files include Word files, Excel files, PowerPoint files, Hangul files, and PDF files. Content subject to detoxification may be active content. Examples of active content include macros, hyperlinks, and Object Linking and Embedding (OLE). According to an embodiment, the CDR engine may perform detoxification on content in a non-executable file and store the detoxification result. The stored detoxification result may be understood as a detoxification result report.

Referring again to FIG. 2, the result reading unit 220 generates a reading result for the decommissioned file based on the detection result provided from the reversing engine and the decommissioning result provided from the CDR engine. And based on the reading results, the detoxified file is allowed or blocked. Here, a detoxified file refers to a file for which detoxification has been completed. The results of reading the detoxified file and/or whether the detoxified file is blocked may be transmitted to the user's terminal and output through the terminal's output unit.

도 5는 본 개시의 실시예에 적용될 수 있는 문서 행위 판단 방법을 예시한 순서도이다. Figure 5 is a flowchart illustrating a method for determining document behavior that can be applied to an embodiment of the present disclosure.

Referring to FIG. 5, the server 200 may include a non-executable file and an application program for executing the non-executable file (eg, MS Office, Hancom Office, etc.).

The server 200 executes the application process in debugging mode (S4010). For example, the server 200 may execute a document process to open a non-executable file to be analyzed for an application program in debugging mode (DEBUG_ONLY_THIS_PROCESS) using the CreateProcess API. Through this, the server 200 can receive debug events of the application process.

In more detail, the server 200 can execute an application process by setting the “DEBUG_ONLY_THIS_PROCESS” flag using the CreateProcess API.

The server 200 sets a first breakpoint at a point matching document behavior based on the application process (S4020). For example, the server 200 may set a breakpoint by changing the operating (OP) code related to the process of the application program loaded in the memory 214 to “0xCC”. OP code refers to an instruction code and may be a code in which the content of work to be actually performed by the CPU is written. To this end, the server 200 can change the memory 214 using WriteProcessMemory.

The server 200 may have information about document actions and points at which the corresponding document actions are matched in advance. For example, the server 200 can install a breakpoint using the WriteProcessMemory API according to a predefined behavior matching breakpoint table.

The server 200 checks whether a non-executable file is running (S4030). More specifically, after setting a breakpoint, the server 200 checks whether other non-executable files for which analysis has been requested are being viewed. Depending on the function required by the non-executable file, the application process loads the necessary modules into the memory 214, so in order to ensure the reliability of determining the document behavior of the target non-executable file, the application program ensures that other non-executable files are not viewed. Must have status. For example, if a malicious non-executable file has been viewed, the reliability of the document behavior judgment result may be reduced.

The server 200 executes the non-executable file to be analyzed based on the fact that other non-executable files are not running (S4040). More specifically, the server 200 views the non-executable file that the user has requested analysis using an application program process (eg, EXCEL, WORD, PPT, etc.) appropriate for the format. For example, the server 200 can view the sample.ppt file using MS Power point.

The server 200 determines whether a new module related to the non-executable file to be analyzed has been loaded on the memory 214 (S4050). When the non-executable file to be analyzed is executed by the application process, the server 200 checks whether a new module is loaded.

For example, the server 200 can use the debugging mode to receive a debugging event when it occurs in an application process. The server 200 may use the event to determine that a new module (for example, DLL memory is installed) when a LOAD DLL event occurs. In more detail, the server 200 may determine that a new module has been loaded into the memory 214 when the “LOAD_DLL_DEBUG_EVENT” event occurs.

For example, the server 200 may load a new module suitable for the application process function into the memory 214 in order to use the necessary functions (e.g., macros, ActiveX functions, etc.) in the non-executable file to be analyzed. there is.

The server 200 sets a second breakpoint at a point matching document behavior based on the loading of the new module (S4060). If it is not determined that a new module has been loaded, the server 200 does not set a second breakpoint.

The server 200 monitors whether the application process is stopped at the first breakpoint and/or the second breakpoint (S4070). For example, the server 200 may check whether the application process is stopped at the breakpoint and process control is transferred to the debugger. The debugger that has taken over control can check at what breakpoint it stopped.

The server 200 generates document behavior information matching the first breakpoint and/or the second breakpoint based on the monitoring results (S4080). For example, the server 200 can check the address value of the breakpoint. Thereafter, the server 200 may generate information about the document action matched with the address value of the breakpoint based on the information about the corresponding document action and the point at which the corresponding document action matches, and store this information as a detection result.

Table 1 below is an example of document behavior matched with the address value of the stored breakpoint.

중단점 주소breakpoint address	문서 행위document act
0x123456780x12345678	문서에서 ActiveX 실행Run ActiveX in document

In addition, the server 200 may perform additional actions to obtain document actions. After step S4080, the server 200 determines whether the viewing of the non-executable file to be analyzed has ended (S4090). For example, the server 200 may determine whether the viewing of the non-executable file to be analyzed has ended in a manner such as when a preset time has passed or when a message box (Alert) or a breakpoint has not been reached for a certain period of time. If the viewing is not terminated, the server 200 continuously monitors whether the application process is stopped at a breakpoint. Through this, the server 200 can wait for document actions to fully occur.

Thereafter, the server 200 may transmit the stored document behavior information to the terminal. To this end, the terminal can communicate with the server 200 and may include a management application that can control the operation of the server. The terminal can provide document behavior information to the user through a management application.

Existing APT solutions extract document behavior based on sandbox changes after document behavior occurs. This increases analysis time because the sandbox has to wait for document behavior to occur. Additionally, because it checks the last part (for example, after sandbox changes), it is slower than the analysis speed in this specification.

Additionally, the server 200 of the present specification may start analysis from the time the application process is executed in the stage before the sandbox is changed.

In addition, because changes in document behavior are confirmed from the assembly level (for example, CPU instruction processing stage), the analysis speed (behavior extraction) is faster than existing APT solutions.

Additionally, existing APT solutions wait until document activity occurs, making it difficult to know the end point. However, in this specification, the server can roughly determine the end point of document activity, so quick analysis is possible.

도 6은 본 개시의 실시예에 적용될 수 있는 비실행 파일 차단 방법을 예시한 순서도이다. Figure 6 is a flowchart illustrating a method for blocking non-executable files that can be applied to an embodiment of the present disclosure.

The reversing engine of the server 200 performs a reversing analysis on the input non-executable file and stores the detection results for vulnerabilities and/or malicious active content (S6100). The detection result is provided to the result reading unit 220. A more detailed description of step S6100 will be described later with reference to FIGS. 7 to 9.

The CDR engine of the server 200 performs detoxification on the content in the input non-executable file and stores the detoxification result (S6200). At this time, step S6200 does not necessarily have to be executed after step S6100, and steps S6200 and S6100 may be performed simultaneously. The detoxification result is provided to the result reading unit 220. A more detailed description of step S6200 will be described later with reference to FIGS. 10 to 12.

The result reading unit 220 of the server 200 generates a final reading result for the detoxified file based on the detection result provided from the reversing engine and the detoxification result provided from the CDR engine (S6300). Specifically, the reading results include the type of non-executable file entered, the content detected by the reversing engine (e.g. vulnerabilities, macros, hyperlinks, JavaScript), whether the detected content can be rendered harmless by the CDR engine, It may include one or more of whether the detected content has been detoxified by the CDR engine and whether the detoxified file is safe. Among the exemplified information, the type and/or number of information to be included in the reading result may be implemented to be changeable by the user. Additionally, the generated reading result may be provided to the user's terminal and may be output in the form of an audio signal and/or a video signal through an output unit of the terminal.

도 7은 도 6의 탐지 결과 저장 단계(S6100)를 구체적으로 도시한 순서도이다. FIG. 7 is a flowchart specifically illustrating the detection result storage step (S6100) of FIG. 6.

The reversing engine performs reversing analysis on the input non-executable file (S6110). Step S6110 may be understood as the document behavior determination method shown in FIG. 5.

Afterwards, the reversing engine determines whether there are results detected by the reversing analysis (S6120). For example, it determines whether there are vulnerabilities or malicious active content detected in non-executable files.

As a result of the determination in step S6120, if a detection result exists, the CDR engine of the server 200 determines whether the detection result can be rendered harmless (S6130). The determination may be made based on the type of CDR engine. This is because detoxification coverage varies depending on the type of CDR engine. Here, harmless coverage can be understood as a concept that includes one or more of a harmless file and a harmless content. Specifically, taking the existing CDR engine as an example, in the case of MS Office 2003 version and MS Office 2007 version or later, detoxification is not possible for content called JavaScript, but macro, Flash, object connection insertion, It is possible to detoxify content such as Active X, Embedded Document, Hyperlink, and Attachments. And in the case of Below Ah Hangul, detoxification is not possible for macros and hyperlinks, but detoxification is possible for the remaining contents. And in the case of Adobe Acrobat, detoxification is not possible for macros, OLE objects, and ActiveX, but detoxification is possible for the remaining contents. Information on the detoxification coverage of the CDR engine as described above may be stored in advance in the server 200, and the determination in step S6130 may be made based on the stored information.

As a result of the determination in step S6130, if the corresponding detection result cannot be detoxified in the CDR engine, a label that cannot be detoxified is recorded on the corresponding detection result (S6140).

As a result of the determination in step S6130, if the corresponding detection result can be detoxified in the CDR engine, a detoxification possible label is recorded in the corresponding detection result (S6150).

When label recording is completed, the detection result is stored (S6160). The detection result may have an XML format, for example, but is not limited to the format shown. Here, the detection results by the reversing engine will be described with reference to FIGS. 8 and 9.

도 8은 리버싱 엔진에 의한 탐지 결과의 일 예를 도시한 도면이다. Figure 8 is a diagram showing an example of a detection result by a reversing engine.

Referring to Figure 8, it can be seen that the detection result is in XML format. You can see that "CVE-2017-11826.RE.300" is recorded in the "Name" item, and the value 'false' is recorded in the "isPossibelCDR" item. This means that a text vulnerability was detected in the debugging engine while running the reversing analysis, and the detected text vulnerability cannot be detoxified in the CDR engine.

도 9는 리버싱 엔진에 의한 탐지 결과의 다른 예를 도시한 도면이다. Figure 9 is a diagram showing another example of a detection result by a reversing engine.

Referring to Figure 9, it can be seen that the vulnerability detection result is in XML format. And you can see that "_DownloaderMacro" is recorded in the "exploitName" item, and the value 'ture' is recorded in the "isPossibleCDR" item. This means that a malicious macro was detected in the debugging engine while running the reversing analysis, and the detected malicious macro can be rendered harmless in the CDR engine.

도 10은 도 6의 무해화 결과 저장 단계(S6200)를 구체적으로 도시한 순서도이다. FIG. 10 is a flow chart specifically illustrating the detoxification result storage step (S6200) of FIG. 6.

The CDR engine determines whether content subject to detoxification exists in the input non-executable file (S6210). Content subject to detoxification may be active content such as macros, hyperlinks, and object connection insertions.

As a result of the determination in step S6210, if content to be detoxified exists in the non-executable file, detoxification is performed on the content to be detoxified (S6220). Since content detoxification is a known technology, detailed description of it will be omitted.

Afterwards, the CDR engine determines whether content detoxification was successful (S6230).

If, as a result of the determination in step S6230, the content has failed to be rendered harmless, the failure to render the content harmless is recorded in the detoxification result (S6240).

If, as a result of the determination in step S6230, the content has been successfully detoxified, the successful detoxification is recorded in the detoxification results (S6250).

Meanwhile, as a result of the determination in step S6210, if there is no content subject to detoxification in the non-executable file, this fact is recorded in the detoxification result (S6260).

When the recording of the detoxification results is completed, the detoxification results are stored (S6270). Here, the detoxification results by the CDR engine will be described with reference to FIGS. 11 and 12.

도 11은 CDR 엔진에 의한 무해화 결과의 일 예를 도시한 도면이다. Figure 11 is a diagram showing an example of the detoxification result by the CDR engine.

Referring to Figure 11, the value 'true' is recorded in the 'result' item, which means that the non-executable file is harmless. Also, the value 'SUCCESS' is recorded in the 'status' item, which means that the detoxification target content in the non-executable file was successfully detoxified. And in the 'message' field, "CDR Process Success" is recorded, which means that detoxification was successfully performed in the CDR engine.

That is, if there is content to be detoxified in a non-executable file, and detoxification is successful for the content to be detoxified, the value 'SUCCESS' is recorded in the 'status' item. And since the detoxification target content was successfully detoxified, the non-executable file is also judged to be harmless, and the value 'true' is recorded in the 'result' item.

If there is no content to be detoxified in the non-executable file, the value 'NO DETECTION' is recorded in the 'status' item. And the non-executable file is also judged to be harmless, so the value 'true' is recorded in the 'result' field.

In addition to 'result', 'status', and 'message' items, the detoxification result may also include 'fileType', 'inputFileName', 'inputFullPath', 'outputFileName', 'outputFullPath', 'elapsedTime', and 'cdrEntities' items. there is. The 'fileType' item is where the type of non-executable file is recorded. The 'inputFileName' and 'inputFullPath' items are where the name of the non-executable file and the storage path of the non-executable file are recorded, respectively. The 'outputFileName' and 'outputFullPath' items are where the name of the detoxified file and the storage path of the detoxified file are recorded, respectively. The 'elapsedTime' item is where the time taken for detoxification is recorded. The 'cdrEntities' item is where the properties of the data storing the detoxification results are recorded. The fact that 'Array' is written in the 'cdrEntities' field means that the detoxification results are stored in array form.

도 12는 CDR 엔진에 의한 무해화 결과의 다른 예를 도시한 도면이다. Figure 12 is a diagram showing another example of the detoxification result by the CDR engine.

Referring to Figure 12, the value 'false' is recorded in the 'result' item, which means that the non-executable file is not harmless. And the value "FAILURE" is recorded in the 'status' item, which means that detoxification failed for the content to be detoxified in the non-executable file. And in the 'message' field, "I/O Error Occurs" is recorded, which means that a detoxification failure error may occur due to an input/output error for the file.

That is, if there is content to be detoxified in a non-executable file, and detoxification fails for the content to be detoxified, the value 'FAILURE' is recorded in the 'status' item. And since detoxification failed for the content subject to detoxification, the non-executable file is also judged to be non-hazardous, and the value 'false' is recorded in the 'result' field.

도 13은 도 6의 판독 결과 생성 단계(S6300)를 구체적으로 도시한 순서도이다. FIG. 13 is a flowchart specifically illustrating the read result generation step (S6300) of FIG. 6.

The result reading unit 220 checks the detection result provided from the reversing engine (S6310) and determines whether there is a target (eg, vulnerability, malicious active content) with a label that cannot be detoxified (S6320).

As a result of the determination in step S6320, if there is no object with a non-harmful label, the result reading unit 220 determines that there is an object with a label that can be harmless. Then, the detoxification result provided from the CDR engine is checked (S6330) to determine whether the detoxification of the object with the detoxification possible label was successful (S6340).

As a result of the determination in step S6340, if detoxification is successful for the object with the detoxification possible label, the result reading unit 220 generates a reading result indicating that the detoxified file is safe (S6350).

As a result of the determination in step S6340, if detoxification has failed for the content with the label capable of detoxification, the result reading unit 220 generates a reading result indicating that the detoxified file is dangerous (S6380).

Thereafter, the result reading unit 220 may allow or block the deactivated file based on the reading result. Specifically, if the detoxified file is read as safe, the detoxified file is allowed. Conversely, if the detoxified file is read as dangerous, the detoxified file is blocked.

In addition, the result reading unit 220 can provide the reading result of the detoxified file to the user's terminal and output it through the output unit.

도 14는 단말을 통해 표시되는 판독 결과 화면을 예시한 도면이다. Figure 14 is a diagram illustrating a reading result screen displayed through a terminal.

Referring to FIG. 14, the read result screen may include the type of the input non-executable file, the detection result of the reversing engine, the detoxification result of the CDR engine, and the final read result of the detoxified file.

The detection results of the reversing engine may include information about the detected content and whether the detected content is malicious. Examples of detected content include object vulnerabilities, text vulnerabilities, macros, hyperlinks, object link injection, and JavaScript.

The detoxification results of the CDR engine may include information about the detoxification target and whether detoxification was successful for the detoxification target.

Referring to FIG. 14, when a word file containing an object vulnerability is input as a non-executable file, it can be seen that the object vulnerability is detected by the reversing engine. Additionally, the detected object vulnerability was analyzed as malicious, and it can be seen that the CDR engine gave it a detoxifiable label, meaning that it could be detoxified. In addition, it can be seen that the object vulnerability actually succeeded in detoxifying the object in the CDR engine. As a result of comprehensively judging the detection results of the reversing engine and the detoxification results of the CDR engine, it can be seen that the detoxification file output from the CDR engine was read as safe.

If a PDF file containing JavaScript is entered as a non-executable file, you can see that JavaScript has been detected in the reversing engine. Additionally, the detected JavaScript was analyzed as normal, not malicious, and was given a detoxifiable label, meaning that it could be detoxified, by the CDR engine. At this time, the analysis result that the detected JavaScript is normal may be a result obtained because it is difficult to detect malicious actions using JavaScript in the reversing engine. Therefore, by assigning a decommunicable label to the detected JavaScript, storing the detection results, and comparing the stored detection contents with the decommissioning results of the CDR engine, more accurate reading results can be obtained for the decommunicated files output from the CDR engine. You can. In fact, since the CDR engine succeeded in detoxifying JavaScript, as a result of comprehensively judging the detection results of the reversing engine and the detoxification results of the CDR engine, it can be seen that the detoxified file output from the CDR engine was read as safe.

If an Excel file containing macro and text vulnerabilities is entered as a non-executable file, you can see that the macro and text vulnerabilities have been detected by the reversing engine. At this time, it can be seen that the detected macro was analyzed as normal, not malicious, and was given a label capable of being rendered harmless. Here, the analysis result that the detected macro is normal may be a result obtained because it is difficult to detect malicious actions using macros in the reversing engine. Therefore, by assigning a decommunicable label to the detected macro, saving the detection results, and comparing the stored detection contents with the decommissioning results of the CDR engine, more accurate reading results can be obtained for the decommunicated file output from the CDR engine. You can. Meanwhile, it can be seen that the body vulnerability detected in the non-executable file was analyzed as malicious and was given a label that cannot be detoxified. Since detoxification is not possible in the CDR engine for detected text vulnerabilities, it can be seen that even if detoxification is successful for the detected macro, the detoxification file output from the CDR engine is read as dangerous.

If a word file containing a hyperlink is entered as a non-executable file, you can see that the hyperlink has been detected in the reversing engine. It can be seen that the detected hyperlink was analyzed as normal, not malicious, and was given a label that could be made harmless. Here, the analysis result that the detected hyperlink is normal may be a result obtained because it is difficult to detect malicious actions using hyperlinks in the reversing engine. Therefore, by assigning a decommunicable label to the detected hyperlink, saving the detection result, and comparing the saved detection content with the decommissioning result of the CDR engine, more accurate reading results can be obtained for the decommunicated file output from the CDR engine. You can. In fact, since hyperlink detoxification was successful in the CDR engine, it can be seen that the detoxified file output from the CDR engine was read as safe.

If a word file containing a macro is entered as a non-executable file, you can see that the macro has been detected in the reversing engine. It can be seen that the detected macro was analyzed as malicious and was given a label that could be made harmless. However, it can be seen that the CDR engine failed to detoxify the detected macro. As a result of comprehensively judging the detection results of the reversing engine and the detoxification results of the CDR engine, it can be seen that the detoxification file output from the CDR engine was read as dangerous.

In Figure 14, harmless files judged to be safe are allowed, and harmless files judged to be dangerous are blocked.

According to the method of blocking non-executable files as described above, security gaps that may occur in the CDR engine can be resolved.

Above, a method for blocking non-executable files according to an embodiment of the present disclosure has been described. According to the non-executable file blocking method described above, by using both the reversing engine and the CDR engine, the security gap that may occur when only the reversing engine is used and the security gap that may occur when only the CDR engine is used are eliminated. It can be supplemented.

도 15는 본 명세서가 적용될 수 있는 망분리 시스템의 예시이다.Figure 15 is an example of a network separation system to which this specification can be applied.

Referring to FIG. 15, the network separation system can be divided into an internal (business) network and an external (Internet) network, and data transmission between the separated networks can be performed through an inter-network data transmission system. The government of the Republic of Korea is stipulating network separation guidelines for public, financial, and general companies, and since 2012, the regulations have been strengthened and made mandatory rather than recommended.

Before the network separation environment was applied, it was possible to use the work system and the Internet together on one PC, but after network separation, the PC functions must be used separately as a work PC and an Internet PC. Therefore, by blocking the Internet in the internal network, hacking attacks attempted from outside and data leakage accidents caused by insiders can be prevented at once.

In a network separation environment, work PCs cannot use the Internet, so it is difficult to send data to external companies, and conversely, it is difficult to import documents downloaded from external companies or the Internet to the work PC. In order to solve such inconvenient work, the solution that can transmit data between work PCs and Internet PCs is a network connection solution, and the network data transmission system can include a network connection solution.

For example, files from a work PC can be transferred to an Internet PC through the Manganese data transmission system after administrator approval, and files from an Internet PC can be transferred to a work PC through the Manganese data transmission system after administrator approval.

The server 200 is connected to the inter-network data transmission system and can inspect and filter files passing through the inter-network data transmission system. For example, if the inter-network data transmission system requests the server 200 to scan for malicious code for a file transmitted from an external network to the inter-network data transmission system, the server 200 can check the file for malicious code. there is. If the server 200 discovers malicious code, the server 200 can block the file.

However, when a file is blocked in a security system linked to the existing inter-network data transmission system, internal user terminals cannot access the security system, so there is a problem in which they are not notified.

도 16은 본 명세서가 적용될 수 있는 서버의 일 실시예이다.Figure 16 is an embodiment of a server to which this specification can be applied.

Referring to FIG. 16, the server 200 is connected to an inter-network data transmission system in a network separation environment and can inspect target files being moved between networks.

The server 200 receives the target file from the inter-network data transmission system (S1610). For example, target files can be uploaded to a predefined directory in the inter-network data transmission system for movement to the internal network. The manganese data transmission system can deliver the target file to the server 200 for malicious code inspection of the target file according to a predefined policy.

The server 200 checks the target file for malicious code (S1620). For example, the server 200 may inspect the target file through the operations of FIGS. 5 to 14 described above.

The server 200 determines whether the target file contains malicious code (S1630).

The server 200 modifies the target file based on the read result of the target file based on whether it contains malicious code (S1640).

For example, the server 200 performs a reversing analysis on the target file, detects at least one of vulnerabilities and content in the target file, stores the detection result, and performs detoxification of the content in the target file. , the detoxification results can be stored and a reading result can be generated.

More specifically, the readout results include what was detected by the reversing engine (e.g. vulnerabilities, macros, hyperlinks, JavaScript), whether the detected content can be neutralized by the CDR engine, and whether the detected content can be neutralized by the CDR engine. It may include whether or not it has been made harmless, whether the target file that has been made harmless is safe/dangerous, etc.

(1) If the read result is that CDR detoxification is possible, the server 200 can detoxify the target file through the CDR engine and modify the file name of the target file to notify users of the internal network that detoxification has been completed. For example, you can add the string “CDR” to the front of the file name (e.g., CDR_ INVOICE.xlsx).

(2) If it is impossible to detoxify the target file or if the read result is that the target file is “dangerous,” the server 200 may modify the target file name to clearly inform internal users that the target file contains malicious code. . For example, you can add the string “MALWARE” to the front of the file name (e.g., MALWARE _INVOICE.xlsx).

(3) If it is impossible to detoxify the target file or if the read result indicates that the target file is “dangerous,” the server 200 may additionally block the target file. In this case, the server 200 can create a 0KB file (Dummyfile) to notify the internal user that the target file is blocked, and modify it to be the target file. Additionally, the server 200 may add the string “MALWARE” to the front end of the file name of the target file that has been modified as a dummy file.

The server 200 transmits the modified target file to the network data transmission system (S1650). The manganese data transmission system can deliver the received modified target file to an internal user terminal, and the internal user terminal can easily determine whether the target file contains malicious code and the processing progress without having to access the server 200.

If the target file does not contain malicious code, the server 200 may determine the target file to be a normal file and transmit it to the inter-network data transmission system. The inter-network data transmission system can transmit target files directly to the internal network.

도 17은 본 명세서가 적용될 수 있는 대상 파일 수정의 예시이다.Figure 17 is an example of target file modification to which this specification can be applied.

Referring to FIG. 17, the server 200 may deliver a modified target file to an internal user. For example, the target file may be modified as a dummy file with OKB, and a string may be added to the file name to indicate that it contains malicious code.

Through this, the server 200 can clearly notify the internal user server about the processing of the target file when the target file moves in a network separation environment of different bands.

In addition, malicious notifications can be clearly made to internal users without additional deployment of notification services (e.g., SMS, mail server 200, etc.), and in terms of management of the server 200, changing file names and capacity is easy and difficult to develop. , it is not restricted by OS area.

From the internal user perspective, work efficiency can be increased with intuitive malicious notifications, and the security level can be increased by blocking the inflow of malicious files into the internal business network at the source.

Meanwhile, the disclosed embodiments may be implemented in the form of a recording medium that stores instructions executable by a computer. Instructions may be stored in the form of program code, and when executed by a processor, may create program modules to perform operations of the disclosed embodiments. The recording medium may be implemented as a computer-readable recording medium.

Computer-readable recording media include all types of recording media storing instructions that can be decoded by a computer. For example, there may be read only memory (ROM), random access memory (RAM), magnetic tape, magnetic disk, flash memory, optical data storage, etc.

Additionally, computer-readable recording media may be provided in the form of non-transitory storage media. Here, 'non-transitory storage medium' simply means that it is a tangible device and does not contain signals (e.g. electromagnetic waves). This term refers to cases where data is semi-permanently stored in a storage medium and temporary storage media. It does not distinguish between cases where it is stored as . For example, a 'non-transitory storage medium' may include a buffer where data is temporarily stored.

According to one embodiment, methods according to various embodiments disclosed in this document may be provided and included in a computer program product. Computer program products are commodities and can be traded between sellers and buyers. The computer program product may be distributed in the form of a machine-readable recording medium (e.g. compact disc read only memory (CD-ROM)) or via an application store (e.g. Play StoreTM) or on two user devices (e.g. It may be distributed directly between smartphones (e.g. smartphones) or distributed online (e.g. downloaded or uploaded). In the case of online distribution, at least a portion of a computer program product (e.g., a downloadable app) is stored at least temporarily on a machine-readable recording medium, such as the memory of a manufacturer's server, an application store's server, or a relay server. It can be stored or created temporarily.

Embodiments according to the present disclosure have been described with reference to the above and the attached drawings. A person skilled in the art to which this disclosure pertains will understand that this disclosure can be implemented in other specific forms without changing its technical idea or essential features. Therefore, the embodiments described above should be understood in all respects as illustrative and not restrictive.

Claims

In a method for a server to handle the inflow of malicious files in a network separation environment,

Receiving a target file from the Manganese data transmission system;

inspecting the target file for malicious code;

Modifying the target file according to a reading result of the target file, based on whether the target file contains malicious code; and

transmitting the modified target file to the network data transmission system;

Includes,

The reading result is

A processing method indicating the possibility or impossibility of detoxification of the target file.
According to paragraph 1,

The above modification steps are

adding a string indicating that the detoxification has been completed to the file name of the target file;

Processing method, including.
According to paragraph 1,

The above modification steps are

adding a string indicating that the target file contains the malicious code to the file name of the target file, based on the read result indicating the impossibility of rendering the target file harmless;

Processing method, including.
According to paragraph 3,

The above modification steps are

Modifying the target file into a dummy file;

A processing method further comprising:
According to paragraph 2,

The above modification steps are

performing a reversing analysis on the target file, detecting at least one of vulnerabilities and content in the target file, and storing the detection result;

Performing detoxification on content in the target file and storing the detoxification result; and

generating the readout result based on the detection result and the detoxification result;

A processing method further comprising:
In a server that processes the inflow of malicious files in a network separation environment,

Ministry of Communications;

Memory with reversing engine and CDR engine; and

a processor that functionally controls the communication unit and the memory; Includes,

The processor is

Receiving the target file from the inter-network data transmission system through the communication unit,

The target file is checked for malicious code, and based on whether the target file contains malicious code, the target file is modified according to a reading result of the target file, and the modified target file is transmitted to the network. The server transmits the information to the system, and the read result indicates the possibility or impossibility of detoxification of the target file.