JP2006099807A - Device, storage device and file processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device having a function properly coping with computer virus infection. <P>SOLUTION: This device has: a virus checker detecting a file containing a virus from a storage device; a conversion part converting the file detected by the virus checker into the other code data; and a restoration part inversely converting the converted code data to restore them to the file before the conversion. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an apparatus and a storage device having a function to appropriately cope with a computer virus, and a file processing method for performing a process to appropriately cope with a computer virus infection.

  Recent personal computers are connected to each other via a network such as a LAN and exchange information using personal computer communication. Computer viruses existing in one personal computer (hereinafter abbreviated as viruses) However, there is an increased risk of spreading to other personal computers connected to the network.

  From now on, it will be necessary to construct a storage device that can use files freely while preventing the propagation of viruses, and delete files or recover files that have not been infected. .

  As shown in FIG. 30, the storage device basically has a controller for executing input / output control between a disk for storing a file and drive control of the disk and a personal computer as a connection destination. It consists of and.

  The storage device configured as described above is configured to be directly accessed from a driver under the operating system of the personal computer. In other words, the running file deployed on the personal computer can easily destroy other files stored in the storage device.

  On the other hand, a virus can rewrite other files using the physical address of the lower address of the file, or rewrite the system startup area using the physical address of the lower address of the system startup area such as boot. , Take action to destroy the original program.

  For these reasons, there is a problem that a file stored in the storage device is easily infected with a virus.

  With respect to such problems, in the conventional technology, when a virus checker deployed on a personal computer finds a file infected with a virus in a file deployed on a storage device disk, all of the files deployed on that disk are found. It was configured to clear the file and install it again.

  However, the conventional technology adopts a configuration in which it is detected whether or not there is a file infected with a virus in a file of the storage device, and if there is an infected file, it is dealt with. However, since the method of actively preventing virus infection is not taken, there is a problem that the file developed on the disk of the storage device is easily infected with the virus.

  In addition, the conventional technology adopts a configuration in which when a file that is infected with a virus is found in a file that is expanded on a disk of a storage device, all files that are expanded on the disk are cleared and installed again. There is a problem of imposing a heavy load on the user.

  And with the conventional technology, files that are judged to be infected by a virus are cleared as they are, so it is not possible to analyze what kind of virus has destroyed the virus. There was also a problem that it was not possible.

  The present invention has been made in view of such circumstances, and provides a device and a storage device having a function for appropriately dealing with a computer virus, and a file processing technique for performing a process for appropriately dealing with a computer virus infection. With the goal.

  FIG. 1 illustrates the principle configuration of the present invention.

  In the figure, reference numeral 1 denotes a virus-compatible storage device configured according to the present invention, and 2 denotes a data processing device that executes data processing using a file stored in the virus-compatible storage device 1.

  The virus-compatible storage device 1 includes a disk 10, a first management unit 11, a second management unit 12, a file registration unit 13, a generation unit 14, a virus checker 15, and an infection table unit 16. Table registration means 17, determination means 18, prohibition means 19, determination means 20, recovery means 21, invalidation means 22, writing means 23, permission means 24, and inexecutable area 25 The retraction means 26 and the reading means 27 are provided. Here, the virus checker 15 may be deployed in the data processing device 2.

  The disk 10 stores files. The first management unit 11 manages the original information of the file stored in the disk 10 and manages the original information of the virus checker 15. The second management unit 12 manages the change difference information that is the upgrade information of the file stored in the disk 10 and the history information of the change difference information, or the change difference that is the upgrade information of the virus checker 15. Information and history information of the change difference information are managed.

  The first management unit 11 may encode and manage the original information in order to prevent the original information of the file or virus checker 15 from being rewritten, and the second management unit 12 may manage the file or virus. In order to prevent the change difference information of the checker 15 from being rewritten, the change difference information may be encoded and managed. At this time, a restoring means for restoring these encoded data and an encoding means for executing an inverse conversion process of the restoring means are provided.

  The file registration unit 13 generates a file by merging the original information of the file managed by the first management unit 11 and the change difference information of the file managed by the second management unit 12 and stores the file in the disk 10. To do. The generation unit 14 generates the virus checker 15 by merging the original information of the virus checker 15 managed by the first management unit 11 and the change difference information of the virus checker 15 managed by the second management unit 12. .

  The virus checker 15 is activated in accordance with a predetermined cycle or activated in response to a command instruction, and detects whether or not a file stored in the disk 10 is infected with a virus. The infection table means 16 manages whether the file stored in the disk 10 is infected with a virus. The table registration unit 17 registers data in the infection table unit 16. The determination means 18 determines whether or not the file is infected with a virus by referring to the infection table means 16 when there is a use request for the file stored in the disk 10 from the data processing device 2. . The prohibiting unit 19 prohibits the use of the file when the determining unit 18 determines that the file is infected with a virus.

  The determining means 20 determines whether or not to permit the use of the file registered in the infection table means 16 according to the interactive process. The recovery means 21 deletes the virus-infected file registered in the infection table means 16 from the disk 10 and activates the file registration means 13 to restore the file and register it in the disk 10. The invalidation means 22 invalidates the write request when a write request for the system startup area stored in the disk 10 is issued. The writing means 23 is prepared as a dedicated writing function and executes a writing process for the system startup area stored in the disk 10.

  The permission unit 24 determines whether or not to permit a write request to an executable file stored in the disk 10 according to the interactive process. The non-executable area 25 is prepared as an area that cannot be accessed by a normal access request. The saving unit 26 saves the virus-infected file registered in the infection table unit 16 and the virus information of the file in the inexecutable area 25. The reading unit 27 reads the information saved in the non-executable area 25 on condition that permission information permitting access to the non-executable area 25 is given.

  In the virus-compatible storage device of the present invention configured as described above, the table registration unit 17 registers a virus-infected file detected by the virus checker 15 in the infection table unit 16.

  Further, the table registration means 17 issues a write request to the system startup area stored in the disk 10 in order to deal with new, bad, and variant viruses that cannot be detected by the virus checker 15. In response to the fact that a regular file never issues such a write request, it is determined that the file from which the write request is issued stored in the disk 10 is infected with a virus, and the infection table That effect is registered in the means 16. At this time, the invalidation means 22 invalidates the write request when the write request is issued. However, when the write means 23 is provided, the write request is changed to the write request. When the use of the means 23 is specified, the write request is processed so as not to be invalidated.

  Further, the table registration unit 17 responds to the fact that when a write request for an executable file stored in the disk 10 is issued, a regular file does not normally issue such a write request. Then, it is determined that the write request issuer file stored in the disk 10 is infected with a virus, and the fact is registered in the infection table means 16. At this time, the permission unit 24 determines whether or not to permit the write request according to the interactive process. Then, when the permission means 24 permits the write request, the table registration means 17 indicates that the write request destination file stored in the disk 10 is also infected with a virus in association with the rewriting. Processing is performed so as to determine and register the fact in the infection table means 16.

  Further, when the file size changes due to execution, the table registration means 17 determines that the file stored in the disk 10 is infected with a virus, and registers that fact in the infection table means 16.

  Further, the table registration means 17 stores the file stored in the disk 10 when the file stored in the disk 10 is requested to be in the data format even though it is determined from the file name that the file is in the execution format. It is determined that the file is infected with a virus and the fact is registered in the infection table means 16.

  The table registration unit 17 stores files stored in the disk 10, but the original information is not registered in the first management unit 11 and the change difference information is not registered in the second management unit 12. Then, it is determined that the file stored in the disk 10 is infected with a virus, and the fact is registered in the infection table means 16.

  In this way, when a virus-infected file is registered in the infection table means 16, and the data processing device 2 requests use of the file stored in the disk 10, the determination means 18 uses the infection table means. 16, it is determined whether or not the file requested for use is infected with a virus. Upon receiving the determination result, the prohibition unit 19 determines whether the file has been determined to be virus-infected by the determination unit 18. Prohibits its use. At this time, the prohibiting unit 19 performs processing so as not to prohibit the use of the file permitted by the determining unit 20.

  Then, the saving means 26 saves the virus-infected file that is prohibited from use and the virus information of the file to the inexecutable area 25 that cannot be easily accessed, and the reading means 27 moves to the inexecutable area 25. On the condition that permission information for permitting access is provided, the saved information is read from the non-executable area 25 and output for virus analysis.

  On the other hand, the recovery means 21 deletes the virus-infected file registered in the infection table means 16 from the disk 10 and activates the file registration means 13 to recover the file and register it in the disk 10.

  As described above, in the virus-compatible storage device 1 of the present invention, while actively preventing virus infection, use of a virus-infected file is prohibited and automatically restored, and further, a virus is recovered. Since the infection information is stored while being not easily accessible, a storage device that can appropriately cope with virus infection can be constructed.

  Next, the configuration of the present invention will be described in more detail.

  (1) In order to cope with virus infection, an apparatus provided with the present invention converts a virus checker that detects a virus-containing file from a storage device, and converts the file detected by the virus checker into another code data. And a conversion unit that performs reverse conversion on the converted code data and restores the converted data to a file before conversion.

  (2) The apparatus including the present invention may further include a saving unit that takes the configuration of (1) and saves the code data converted by the conversion unit in a specific area of the storage device.

  (3) In the apparatus including the present invention, when the configuration of (2) is adopted, the specific area may be an area for isolating a file containing a virus from a file not containing the virus.

  (4) In the apparatus provided with the present invention, when the configuration of (1) to (3) is adopted, the conversion unit may make the file containing the virus unexecutable.

  (5) The apparatus including the present invention may further include a management unit that manages the converted code data when adopting the configurations of (1) to (4).

  (6) In the apparatus including the present invention, when the configuration of (5) is adopted, the management unit may delete the converted code data.

  (7) A storage device including the present invention is detected by the virus checker, a virus checker that detects a file containing a virus from the storage unit, a virus checker that stores a file, in order to cope with virus infection. A conversion unit that converts the file into another code data; and a restoration unit that reverse-converts the converted code data and restores the file before conversion.

  (8) The storage device including the present invention may further include a saving unit that saves the code data converted by the conversion unit in a specific area of the storage unit when adopting the configuration of (7). .

  (9) In the storage device provided with the present invention, when the configuration of (8) is adopted, the specific area may be an area for isolating a file containing a virus from a file not containing the virus.

  (10) In the storage device provided with the present invention, when the configurations (7) to (9) are adopted, the conversion unit may make the file containing the virus unexecutable.

  (11) The storage device including the present invention may further include a management unit that manages the converted code data when adopting the configurations of (7) to (10).

  (12) In the storage device including the present invention, when the configuration of (11) is adopted, the management unit may delete the converted code data.

  (13) The file processing method of the present invention is a file processing method for a storage device for storing a file, the step of reading the file from the storage device and checking whether the file is infected with a virus, and the check A conversion step of converting the virus-infected file detected in the step into another code data; a storage step of storing the converted code data in the storage device; and reverse conversion of the converted code data before conversion A restoring step of restoring to the file.

  (14) In the file processing method of the present invention, when the configuration of (13) is adopted, the storing step may write the converted code data into a specific area of the storage device.

  (15) In the file processing method of the present invention, when the configuration of (14) is adopted, the specific area may be an area that isolates a virus-infected file from a file that does not contain a virus.

  (16) In the file processing method of the present invention, when the configuration of (13) to (15) is adopted, the conversion step may make the virus infected file unexecutable.

  (17) The file processing method of the present invention may further include a management step for managing the converted code data when adopting the configurations of (13) to (16).

  (18) In the file processing method of the present invention, when the configuration of (17) is adopted, the management step may delete the converted code data.

  As described above, according to the present invention, while actively preventing virus infection, the use of a virus-infected file is prohibited and automatically restored, and virus infection information can be easily updated. Since it is configured to store while preventing access, virus infection can be appropriately dealt with.

  Hereinafter, the present invention will be described in detail according to embodiments.

  FIG. 2 illustrates an embodiment of the virus-compatible storage device 1 of the present invention.

  The virus-compatible storage device 1 shown in this embodiment is connected to a personal computer 2a. In addition to the disk 30 for storing files to be accessed by the personal computer 2a, access processing / anti-virus processing ROM 31 for storing firmware and the like for executing CPU, CPU 32 for executing firmware stored in ROM 31, and for exchange with personal computer 2a, and RAM 33 prepared as a work area for firmware executed by CPU 32 By having a CPU function.

  Further, the original information of the file stored on the disk 30 and the original information management file 34 for managing the original information of the virus checker prepared for the inspection of the file stored on the disk, and the file stored on the disk 30 While managing the change difference information and the history information, the upgrade information management file 35 for managing the change difference information of the virus checker and the history information, the file stored in the disk 30, and the original information management file Whether the original information stored in 34 or the change difference information stored in the upgrade information management file 35 is infected with a virus, and whether these files to be managed are in an executable format Whether it is of a formal type and these management File information management file 36 that manages whether or not the file is in the boot area or IPL area, and an area that can be accessed only when the password and ID match, and is infected with a virus. 3 and a non-executable area 37 having a data structure as shown in FIG. 3 for saving virus information of the file. Here, the reason why the upgrade information management file 35 manages the history information is to make it possible to know which is the latest change difference information.

  In addition to this, the file stored in the disk 30 is accessed, the original information managed by the original information management file 34 is accessed, the change difference information and the history information managed by the upgrade information management file 35 are stored. A controller 38 for accessing or accessing the save information of the non-executable area 37 is provided.

  Here, the original information management file 34 and the upgrade information management file 35 do not adopt a configuration for managing the original information and the changed difference information according to a simple difference configuration, but use an inheritance relationship having a parent-child relationship. A configuration may be adopted in which original information and change difference information are managed.

  In the embodiment shown in FIG. 2, the virus-compatible storage device 1 is connected to the personal computer 2a. However, as shown in FIG. 4, it may be connected to a LAN. In the embodiment shown in FIG. 2, the original information management file 34 and the upgrade information management file 35 are shown as separate files. However, as shown in FIGS. Sometimes. In the embodiment of FIG. 2, the configuration in which the virus-compatible storage device 1 is provided outside the personal computer 2a is shown. However, as shown in FIGS. 7 and 8, it is provided inside the personal computer 2a. Sometimes.

  As described above, the virus-corresponding storage device 1 of the present invention has a configuration including the original information management file 34 and the upgrade information management file 35.

  This is because the original information of the file stored on the disk 30 is stored in the original information management file 34, and when the file is upgraded, the upgrade difference information and the history information are converted into the upgrade information. By adopting a configuration for storing in the management file 35, when a file stored on the disk 30 is infected with a virus, the original information of the file and the difference change information are merged so that the file can be recovered. is there. Further, the original information of the file and the change difference information of the file are not developed on the disk 30 to prevent them from being infected by a virus.

  Since the virus checker prepared for the inspection of the file stored on the disk also has the property of being upgraded, the original information of this virus checker is stored in the original information management file 34, and The configuration is such that the virus checker is managed by storing the upgrade difference information and the history information in the upgrade information management file 35.

  When the original information management file 34 and the upgrade information management file 35 are constructed on the same medium, the original information of the file and virus checker, the change difference information of the file and virus checker, and the history information of the change difference information, It is practically convenient that it can be integrated and managed. In addition to this, the disk 30 and the non-executable area 37 may also be constructed on the medium.

  The original information of the file and virus checker stored in the original information management file 34 and the change difference information and history information of the file and virus checker stored in the upgrade information management file 35 are not rewritten from the personal computer 2a side. It will not be.

  From now on, the virus-compatible storage device 1 stores the original information of the file and virus checker stored in the original information management file 34 and the change difference information / history information of the file and virus checker stored in the upgrade information management file 35. As shown in FIG. 9, the file and the virus checker original information restored by the restoration mechanism and the restoration mechanism are restored as shown in FIG. The file and virus checker are generated by merging the file and the change difference information of the virus checker. Then, by adopting a configuration that prepares an encoding mechanism for executing the reverse conversion processing of the restoration mechanism, as shown in FIG. 10, the original information of the file encoded by the encoding mechanism and the virus checker is stored in the original information management file 34. In addition, the file encoded by the encoding mechanism and the change difference information / history information of the virus checker are stored in the upgrade information management file 35.

  Specifically, the encoding mechanism and the restoration mechanism are realized by firmware stored in the ROM 31 of the virus-responsive storage device 1, and in order to realize this mechanism, as shown in FIG. The ROM 31 stores a conversion table for encoding original information, change difference information, and history information, and a conversion table for restoring encoded original information, change difference information, and history information. .

  Furthermore, as described above, the virus-compatible storage device 1 of the present invention employs a configuration including the file information management file 36.

  In the file information management file 36, the file stored in the disk 30, the original information stored in the original information management file 34, and the change difference information stored in the upgrade information management file 35 are infected with a virus. Whether these managed files are in executable format or data format, and whether these managed files are in boot area or IPL area Manage that.

  FIG. 12 shows an example of the data structure of the file information management file 36. Here, in this embodiment, it is determined that the file to be written in the boot area or IPL area stored in the disk 30 is infected with a virus, and the file in the executable format stored in the disk 30 is written. It is assumed that the file to perform is determined to be infected with a virus. This is because a regular file does not perform the former write operation, and usually does not perform the latter write operation.

  That is, as shown in FIG. 12, the file information management file 36 records the file name of the management target file, the address position of the file, and the execution / data that records whether the file is in the execution format or the data format. A flag area, a launcher flag area that records whether the file is a boot area or an IPL area, an infection flag (1) that records the presence or absence of virus infection of the file detected by the virus checker, An infection flag (2) for recording the presence or absence of virus infection of the file determined by the writing operation to the boot area or the IPL area, and the file of the file determined by the writing operation to the executable file Infection flag (3) that records the presence or absence of virus infection, and the original stored in the original information management file 34 By managing the infection flag (4) for recording the presence / absence of virus infection in the information and the infection flag (5) for recording the presence / absence of virus infection in the change difference information stored in the upgrade information management file 35, This is a configuration for managing the information. The presence / absence of virus infection in the original information stored in the original information management file 34 and the presence / absence of virus infection in the change difference information stored in the upgrade information management file 35 are determined by a virus checker, boot area, IPL area, This is determined by the writing operation to the executable file.

  In the figure, (1) to (5), which are identification codes of infection flags, are represented by numbers in circles.

  Here, the execution / data flag area is set to “1” in the execution format and “0” in the data format, and the start-up flag area is set to “1” in the boot area or IPL area. "0" is set when not, and the infection flag (1) (2) is set to "1" when infected with a virus and "0" when not infected with a virus. In the infection flag (3), “1” is set when there is a suspicion of virus infection, and “0” is set when there is no suspicion of virus infection, and the infection flag (4) (5) is infected with a virus. “1” is set when the virus is infected, or when there is a suspicion of virus infection, and “0” is set when the virus is not infected or when there is no suspicion of virus infection.

  FIG. 13 to FIG. 22 show processing flows executed by the virus-corresponding storage device 1 configured as described above. Next, according to these processing flows, the operation processing of the virus-compatible storage device 1 of the present invention will be described in detail.

  When the virus-compatible storage device 1 is started, as shown in the processing flow of FIG. 13, the infected file storage area and virus information storage area (storage area shown in FIG. 3) of the non-executable area 37 are initialized. Then, the initialization process is executed by registering the ID and password for accessing the non-executable area 37.

  On the other hand, when the virus-compatible storage device 1 registers original information of a purchased file in the original information management file 34 or when registering change difference information of the file in the upgrade information management file 35, A virus checker is generated by merging the virus checker original information stored in the original information management file 34 and the latest update difference information of the virus checker stored in the version upgrade information management file 35, and is expanded in the RAM 33. .

  Then, as shown in the processing flow of FIG. 14, the generated virus checker is used to check whether the file to be registered (original information / change difference information) is infected with a virus. When it is determined that the file has been infected, the virus infected file and the virus information of the file are saved in the non-executable area 37, and the registration prohibition personal computer 2a is notified of the use prohibition due to virus infection. To do.

  On the other hand, when it is determined that there is no virus infection, the file is stored in the original information management file 34 / version-up information management file 35 of the registration destination, history information is created, and it is stored in the version-up information management file 35. After the storage, the file (the file merged with the original information when the registration file is the change difference information) is developed on the disk 30 and the data is registered in the file information management file 36.

  In this way, the original information of the file not infected with the virus is registered in the original information management file 34, and the change difference information of the file not infected with the virus is registered in the upgrade information management file 35, and The files that are not infected by the virus that merges them are expanded on the disk 30. Here, the reason why the virus checker itself is not stored in the disk 30 but is generated when the virus infection check process is started is to prevent the virus checker itself from being infected with the virus. It is.

  In the processing flow of FIG. 14, it is confirmed that the original information of the file to be registered in the original information management file 34 is not infected with a virus, and the change difference information of the file to be registered in the version upgrade information management file 35 is displayed. Although it has been configured to confirm that it is not infected with a virus, whether or not the file developed on the disk 30 by merging the original information and the change difference information is infected with the virus according to the processing described later. Therefore, this confirmation process is not absolutely necessary. In the description of the processing flow of FIG. 14, the virus-corresponding storage device 1 is configured to operate the virus checker, but may be configured to operate the personal computer 2a.

  As described above, the present invention adopts a configuration in which it is determined that a file written in the boot area or IPL area stored in the disk 30 is infected with a virus. This is because a regular file does not perform such a write operation.

  As will be described later, the present invention employs a configuration that prohibits execution of a file infected with a virus, and therefore execution of a file to be written in the boot area or IPL area is prohibited. However, this means that boot and IPL registration cannot be performed. Therefore, in the present invention, when a specific command for instructing boot or IPL registration is issued, the configuration is permitted to permit the registration.

  That is, when a specific command for instructing boot or IPL registration is issued, the virus handling type storage device 1 has a boot / IPL for which there is a registration request in the original information management file 34 as shown in the processing flow of FIG. Then, the boot / IPL is taken out into the RAM 33 and stored in the disk 30, and “1” is recorded in the start-up part flag area of the file information management file 36 in accordance with the storage in the disk 30. To register it as boot / IPL, register “1” in the execution / data flag area, register it as an execution format, and set “0” in the infection flags (1) to (5). It records that it is not infected by the virus by recording.

  Next, a virus infected file detection process executed by the virus handling type storage device 1 will be described. There are two types of detection processing: a case where it is executed using a virus checker and a case where it is executed by determining the file attribute of a write destination file. FIG. 16 and FIG. 17 show the processing flow of the virus infected file detection process executed using the virus checker. FIG. 18 shows the virus infected file detection process executed by determining the file attribute of the write destination file. The flow is illustrated.

  When detecting a virus-infected file using a virus checker, the virus-compatible storage device 1 firstly detects a virus-infected file in step 1 as shown in the processing flow of FIGS. When it is determined that the detection period is reached, the process proceeds to step 2 where the virus checker original information stored in the original information management file 34 and the upgrade information management file 35 are stored. The latest virus checker is merged with the latest change difference information of the virus checker, and the latest virus checker is generated and expanded in the RAM 33.

  Subsequently, in step 3, one unprocessed file is extracted from the files on the disk 30, and in the next step 4, whether or not the extracted file is infected with a virus by using the generated virus checker. Perform the check. When it is determined that a virus is infected according to this check processing, the process proceeds to step 5 where “1” is recorded in the infection flag (1) of the file information management file 36 pointed to by that file. Is registered as being infected with a virus, and when it is determined that it is not infected with a virus, the process proceeds to step 6 where the file is recorded by recording "0" in its infection flag (1). Register that is not infected with a virus.

  Subsequently, in step 7, it is determined whether or not the processing has been completed for all the files stored on the disk 30, and when it is determined that an unprocessed file remains, the process returns to step 3. When it is determined that no processing file is left, the process proceeds to step 8 where virus checking is also performed on the original information stored in the original information management file 34 and the change difference information stored in the upgrade information management file 35. If it is determined whether or not the mode for performing the virus check is set and it is determined that the mode for performing the virus check is not set, the process returns to step 1.

  On the other hand, when it is determined that the original information stored in the original information management file 34 and the change difference information stored in the upgrade information management file 35 are also set to the virus check mode, the process proceeds to step 9. Then, one of the original information / change difference information is expanded as a work on the RAM 33, and in the subsequent step 10, whether the file expanded on the work is infected with a virus using the generated virus checker. Check for no. The virus check for the original information / change difference information is performed to cope with the appearance of a new type of virus.

  When it is determined that the virus is not infected according to this check process, the process proceeds to step 11 to record “0” in the infection flag (4) (5) of the file information management file 36 pointed to by the file. , Register that the file is not infected with a virus. On the other hand, when it is determined that the virus has been infected, the process proceeds to step 12 where “1” is recorded in the infection flag (4) (5) of the file information management file 36 pointed to by that file, thereby restoring the original. Register that the information is infected with a virus.

  Then, in the following step 13, when it is determined whether or not processing has been completed for all original information / change difference information, and it is determined that an unprocessed file remains, the process returns to step 9, and unprocessed When it is determined that no file remains, the process returns to step 1.

  In this way, the virus-compatible storage device 1 uses the virus checker to periodically store the files stored in the disk 30, the original information stored in the original information management file 34, and the upgrade information management file. It is checked whether or not the change difference information stored in 35 is infected with a virus, and the result is registered in the infection flag (1) (4) (5) of the file information management file 36. .

  16 and 17, the virus checker is activated in accordance with a specified cycle. However, the virus checker is activated upon receipt of a command issued from the personal computer 2a. May be taken. Further, in the processing flow of FIGS. 16 and 17, the configuration in which the virus-compatible storage device 1 operates the virus checker is employed, but the configuration in which the personal computer 2a is operated may be employed.

  On the other hand, when the virus-corresponding storage device 1 detects a virus-infected file by determining the file attribute of the write destination file, a write request to the file stored in the disk 30 from the personal computer 2a (this) When a write request is issued from the disk 30 to the personal computer 2a), as shown in the process flow of FIG. 18, first, in step 1, the file information management file 36 is updated. By referring to the flag value in the start-up unit flag area, it is determined whether or not the writing destination file is the boot area / IPL area.

  When it is determined that the write destination file is the boot area / IPL area in accordance with the determination process of step 1, the process proceeds to step 2 to confirm that the file that issued the write request is infected with a virus. Judgment and recording that the file is infected by recording “1” in the infection flag (2) of the file information management file 36 pointed to by the file. After notifying the computer 2a that the file requesting writing is a virus-infected file, the processing is terminated without performing the writing processing.

  On the other hand, when it is determined in step 1 that the file to be written is not the boot area / IPL area, the process proceeds to step 4 to refer to the execution / data flag area flag value of the file information management file 36. When it is determined whether the writing destination file is an execution format file or a data format file, and when it is determined that the file is a data format file, in step 5 the writing to the file is performed. Execute the process and end the process.

  On the other hand, when it is determined in step 4 that the write destination file is an executable file, it is determined that there is a high possibility that the file that issued the write request is infected with a virus. Proceeding to step 6, while notifying that fact, a message indicating whether or not to write is output to the personal computer 2a, and a response is received.

  When it is determined in step 6 that the response from the personal computer 2a does not instruct writing, the process proceeds to step 7 where the file information management file 36 pointed to by the file that issued the write request is stored. By recording “1” in the infection flag (3), it is registered that the file is infected with a virus, and the process is terminated.

  Here, even when the write request source file writes to itself, “1” is recorded in the infection flag (3) of the file information management file 36 pointed to by the file. In the present invention, in addition to the reason that the file that performs the operation of writing to the file is highly likely to be infected with a virus, in the present invention, the version difference of the file is registered in the version upgrade information management file 35. The reason for this is that it has a configuration in which the version upgrade is illegal.

  On the other hand, when it is determined in step 6 that the response from the personal computer 2a is an instruction for writing, the writing request source file is still likely to be infected with a virus. Since it is instructed that it does not matter, the process proceeds to step 8 to execute the writing process for the writing destination file, and then in step 9 the writing source file and the writing destination file are pointed to. By recording “1” in the infection flag (3) of the file information management file 36, it is registered that these files are infected with a virus, and the process is terminated.

  In this way, in the virus-compatible storage device 1, when a write request for a file stored in the disk 30 is issued, the write destination file is a boot area, IPL area, or executable file. In some cases, it is determined that the write request source file is infected with a virus, and it is registered in the infection flag (2) (3) of the file information management file 36. When the write destination file is the boot area or the IPL area, processing is performed so as not to execute the write process. When the write destination file is an executable file, the write process is performed according to the interactive process. Determine whether or not to execute the process, and if the write process is to be executed, determine that the write destination file will also be infected by a virus, and notify the file information management file It is registered in 36 infection flags (3).

  Next, processing for a virus-infected file executed by the virus-compatible storage device 1 will be described.

  When there is a loading request for a file (executable file) stored in the disk 30 from the personal computer 2a, the virus-compatible storage device 1 receives an infection flag (1) in the file information management file 36 as shown in the processing flow of FIG. ) (2) By referring to (3), it is checked whether or not the file requested for loading is infected with a virus, and when it is determined that the file is not infected with a virus, the file is personalized. When the computer 2a is instructed to start execution by loading, on the other hand, when it is determined that the computer is infected by a virus, the file is prevented from being executed by rejecting the loading of the file.

  As described above, the virus-corresponding storage device 1 performs control so that a virus-infected file registered in the file information management file 36 is not executed. Therefore, files that have been detected as being infected by the virus checker are never executed, and the check process of the virus checker is bypassed. It will not be executed again, and virus growth can be reliably prevented.

  Note that the processing flow of FIG. 19 adopts a configuration in which execution is uniformly rejected for those infected by viruses, but a program may be created with a pattern similar to viruses. Since there is also a virus checker inspection error, a configuration may be adopted in which it is determined whether to cancel the rejection of the execution by interacting with the personal computer 2a.

  On the other hand, when a command instructing recovery of a virus-infected file stored in the disk 30 is issued from the personal computer 2a, the virus-compatible storage device 1 first, as shown in the processing flow of FIG. In step 1, by referring to the infection flag (1) (2) (3) of the file information management file 36, one file infected with a virus is taken out and deleted from the disk 30. Subsequently, in step 2, the data of the deleted file is deleted from the file information management file 36.

  Subsequently, in step 3, while referring to the infection flag (4) of the file information management file 36, the original information of the file not infected with the virus is read from the original information management file 34, and the file information management file 36 is read. Referring to the infection flag (5), the latest difference change information of the file not infected with the virus is read from the original information management file 34, and the deleted file is restored by merging them to restore the disk. Expand to 30. Subsequently, after the recovery file data is registered in the file information management file 36 in step 4, it is determined in step 5 whether or not an unprocessed virus-infected file remains. If not, the process is terminated, and if remaining, the process returns to step 1.

  In this way, the virus-compatible storage device 1 deletes the virus-infected file from the disk 30 and restores the file that is not infected by the virus from the original information and the change difference information of the file. It is processed so as to be developed on the disk 30.

  In the processing flow of FIG. 20, the virus infected file recovery is executed when a virus infected file recovery command is issued from the personal computer 2a. However, when the prescribed cycle is reached. In addition, a configuration may be adopted in which recovery of a virus-infected file is executed by executing this processing. By adopting this configuration, it becomes possible to autonomously recover a file infected with a virus regardless of the personal computer 2a. In addition, in the processing flow of FIG. 20, a configuration has been adopted in which the latest differential change information that is not infected with a virus is used to restore the virus-infected file to the newest, but an instruction from the personal computer 2a is used. A configuration may be adopted in which recovery is performed using the change difference information indicated by the history information with the error.

  When the processing flow of FIG. 20 is followed, the virus-compatible storage device 1 executes processing for restoring a virus-infected file to one that is not infected by the virus. At this time, the processing flow shown in FIG. As described above, it is also possible to adopt a configuration in which the file infected with the virus and the virus information of the virus-infected file are saved in the non-executable area 37.

  That is, when the virus compatible storage device 1 follows the processing flow of FIG. 21, when a command instructing recovery of a virus infected file stored in the disk 30 is issued from the personal computer 2a, first, In step 1, by referring to the infection flag (1) (2) (3) of the file information management file 36, one file infected with a virus is taken out. Subsequently, in step 2, using the virus checker developed in advance, the virus information of the extracted virus-infected file is specified. Subsequently, in step 3, the extracted virus infected file and the virus information specified in step 2 are saved in the inexecutable area 37. Subsequently, in step 4, the extracted virus infected file is deleted from the disk 30.

  Subsequently, in step 5, the data of the deleted file is deleted from the file information management file 36. Subsequently, in step 6, while referring to the infection flag (4) of the file information management file 36, the original information of the file not infected by the virus is read from the original information management file 34, and the file information management file 36 is read. Referring to the infection flag (5), the latest difference change information of the file not infected with the virus is read from the original information management file 34, and the deleted file is restored by merging them to restore the disk. Expand to 30. Subsequently, after the recovery file data is registered in the file information management file 36 in step 7, it is determined in step 8 whether or not an unprocessed virus-infected file remains. If not, the process is terminated, and if remaining, the process returns to step 1.

  In this way, the virus-compatible storage device 1 deletes the virus-infected file from the disk 30 and restores the file that is not infected by the virus from the original information and the change difference information of the file. At the time of development on the disk 30, the file infected with the virus and the virus information held by the file are processed so as to be saved in the non-executable area 37.

  The virus-infected file saved in the non-executable area 37 and the virus information held by the file are extremely useful information for analyzing the invading virus. However, if anyone can access such useful information, there is a risk that it will be rewritten by mistake.

  Therefore, when a command instructing the reading of the save information of the non-executable area 37 is issued from the personal computer 2a, the virus-compatible storage device 1 firstly, as shown in the processing flow of FIG. 13 is requested to input the ID and password registered in the processing flow of 13, and the ID and password input in response to the request are collated with those registered in the processing flow of FIG. Are read and the virus-infected file and virus information saved in the inexecutable area 37 are read and output to the personal computer 2a. When the personal computer 2a issues a request to delete the extracted virus-infected file and virus information, a process for deleting the file is executed.

  In this way, the virus-compatible storage device 1 performs processing so as to read out the virus-infected file and virus information saved in the non-executable area 37 on condition that the ID and the password match.

  The processing flow in FIG. 22 employs a configuration in which the save information of the non-executable area 37 is read when a read command for the non-executable area 37 is issued from the personal computer 2a. A configuration may be adopted in which the save information of the non-executable area 37 is read out by executing this process when the process reaches. In addition, in order to maintain further confidentiality, a virus infection file saved in the non-executable area 37 and a coding mechanism for converting virus information into code data are prepared, and the code data generated by the coding mechanism is not executed. A restoration mechanism is prepared that stores the data in the executable area 37 and executes reverse conversion processing of the encoding mechanism, and reads the virus-infected file and virus information saved in the non-executable area 37 through the restoration mechanism. You may make it go.

  In this way, in the virus-compatible storage device 1 of the present invention, as shown in FIG. 23, the virus checker 40 (may be executed by the personal computer 2a or may be executed by the virus-compatible storage device 1). ) Checks whether the file developed on the disk 30 is infected with a virus or not, and receives the check result and registers it in the file information management file 36, so that the disk 30 is stored with the file information management file 36. If a file to be expanded on the disk 30 is managed to determine whether or not it is infected with a virus, as shown in FIG. 24, when a request to use the file to be expanded on the disk 30 is made via the personal computer 2a. By referring to the file information management file 36, the file that is requested to use it will be To determine whether it is infected with, if they are infected with a virus, by taking measures to prohibit the use, it is to realize the prevention of viral growth.

  23 and 24, reference numeral 41 denotes a management file registration reference mechanism for registering data in the file information management file 36 and referring to data in the file information management file 36. Further, when the virus checker 40 is configured to be executed by the virus-compatible storage device 1, virus infection check processing can be executed in parallel with the operation of the personal computer 2a, and virus infection can be performed at night. The check process can be executed. When the virus checker 40 is executed by the personal computer 2a, the virus checker 40 may be prepared separately without loading from the virus-type storage device 1. In addition, the numerical value with a circle in a figure represents the order of a process.

  Further, in the virus correspondence type storage device 1 of the present invention, as shown in FIG. 25, an original information management file 34 that encodes and manages the original information of the file, and a version upgrade that encodes and manages the change difference information of the file. An information management file 35; a file generation mechanism 42 that generates a file by restoring and merging the encoded data of the original information and the change difference information; and a deletion mechanism 43 that deletes a file stored in the disk 30. When it is determined that a file requested to be used is infected with a virus, the virus infected file is deleted from the disk 30 using the deletion mechanism 43 and the file generation mechanism 42 is used. Restore the virus-infected file to one that is not infected with the virus. Since a configuration to deploy the disc 30, it becomes possible to operate the system with minimal installation process. In addition, the numerical value with a circle in a figure represents the order of a process.

  Further, in the virus correspondence type storage device 1 of the present invention, as shown in FIG. 26, a timer 44 that periodically issues an instruction for virus check processing (as shown in FIG. 27, may be provided in the personal computer 2a). Furthermore, the code information of the original information of the virus checker 40 is stored in the original information management file 34, and the code data of the change difference information of the virus checker 40 is stored in the upgrade information management file 35. When the timer 44 issues a virus check processing instruction, the file generation mechanism 42 generates the virus checker 40, and the virus checker 40 generated in this manner (when executed by the personal computer 2a or a virus response). Type storage device 1). While checking whether or not the file developed in the file 30 is infected with a virus and registering the check result in the file information management file 36, the virus checker 40 is prevented from being infected with the virus. , Preventing the invasion of viruses. In addition, the numerical value with a circle in a figure represents the order of a process.

  In addition, as shown in FIG. 28, the virus-compatible storage device 1 of the present invention is provided with a virus check activation mechanism 45 that issues a virus check processing instruction in response to an instruction from the personal computer 2a, and further includes original information. The virus check activation mechanism 45 is configured to store the code data of the original information of the virus checker 40 in the management file 34 and the code data of the change difference information of the virus checker 40 in the upgrade information management file 35. When the check processing instruction is issued, the file generation mechanism 42 generates the virus checker 40, and the virus checker 40 generated in this manner (when executed by the personal computer 2a or executed by the virus-compatible storage device 1). May be) While checking whether or not the file developed in the file 30 is infected with a virus and registering the check result in the file information management file 36, the virus checker 40 is prevented from being infected with the virus. , Preventing the invasion of viruses. In addition, the numerical value with a circle in a figure represents the order of a process.

  In addition, as shown in FIG. 29, the virus-corresponding storage device 1 of the present invention is provided with a dedicated system writing mechanism 46 for writing in the boot area or IPL area of the disk 30, and uses this system writing mechanism 46. In such a case, a configuration is adopted in which a write operation to the boot area or IPL area of the disk 30 is permitted. This is because the file that performs the write operation in the boot area or the IPL area of the disk 30 is determined to be infected with a virus, and its execution is prohibited. This is for providing a normal writing operation.

  In the embodiment described above, in addition to a virus-infected file detected by the virus checker 40, a file that performs a write operation on a boot area, an IPL area, or an executable file is infected with a virus. In addition to this, when the size of the file changes due to execution, it is determined that the file stored in the disk 30 is infected with a virus (for example, periodically determined). If the file information management file 36 is applied for in the data format even though the file stored in the disk 30 is determined to be in the executable format from the file name, It is determined that the stored file is infected with a virus (for example, it is determined at the start of processing) For a file that is stored in the disk 30 but has no original information registered in the original information management file 36 and no change difference information registered in the upgrade information management file 37, the file stored in the disk 30 It is possible to further prevent the virus infection by determining that the virus is infected with the virus (determining periodically or during file access).

  Here, the check process of whether or not the size of the file changes due to execution includes, for example, merging the original information managed in the original information management file 34 and the change difference information managed in the upgrade information management file 35. Thus, a file is generated, and the size of the generated file is compared with the size of the file stored in the disk 30 for execution.

It is a principle block diagram of this invention. 1 is an example embodiment of the present invention. It is explanatory drawing of a non-executable area | region. It is another example embodiment of the present invention. It is another example embodiment of the present invention. It is another example embodiment of the present invention. It is another example embodiment of the present invention. It is another example embodiment of the present invention. It is explanatory drawing of a file production | generation process. It is explanatory drawing of a file storage process. It is explanatory drawing of a conversion table. It is an example of an embodiment of a data structure of a file information management file. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is an example of 1 embodiment of the processing flow which this invention performs. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of this invention. It is explanatory drawing of a memory | storage device.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Virus corresponding | compatible memory | storage device 2 Data processing apparatus 10 Disk 11 1st management means 12 2nd management means 13 File registration means 14 Generation means 15 Virus checker 16 Infection table means 17 Table registration means 18 Judgment means 19 Prohibition means 20 Determination Means 21 Recovery means 22 Invalidation means 23 Writing means 24 Permission means 25 Non-executable area 26 Retraction means 27 Reading means

Claims (18)

A virus checker for detecting a virus-containing file from a storage device;
A conversion unit for converting the file detected by the virus checker into another code data;
A restoration unit that reversely transforms the converted code data and restores the file before the conversion;
A device comprising:   The apparatus according to claim 1, further comprising a save unit that saves the code data converted by the conversion unit to a specific area of the storage device.   3. The apparatus according to claim 2, wherein the specific area is an area for isolating a file containing a virus from a file not containing a virus.   The apparatus according to any one of claims 1 to 3, wherein the conversion unit renders the file containing the virus in an inexecutable state.   The apparatus according to claim 1, further comprising a management unit that manages the converted code data.   The apparatus according to claim 5, wherein the management unit deletes the converted code data. A storage unit for storing files;
A virus checker for detecting a file containing a virus from the storage unit;
A conversion unit for converting the file detected by the virus checker into another code data;
A restoration unit that reversely transforms the converted code data and restores the file before the conversion;
A storage device comprising:   The storage device according to claim 7, further comprising a saving unit that saves the code data converted by the conversion unit in a specific area of the storage unit.   9. The storage device according to claim 8, wherein the specific area is an area for isolating a file containing a virus from a file not containing a virus.   The storage device according to claim 7, wherein the conversion unit renders the file containing the virus in an inexecutable state.   The storage device according to claim 7, further comprising a management unit that manages the converted code data.   The storage device according to claim 11, wherein the management unit deletes the converted code data. In a file processing method of a storage device for storing a file,
Reading the file from the storage device and checking if the file is infected with a virus;
A conversion step of converting the virus-infected file detected in the checking step into another code data;
A storage step of storing the converted code data in the storage device;
A restoration step of inversely transforming the converted code data and restoring it to a file before conversion;
A file processing method comprising:   14. The file processing method according to claim 13, wherein the storing step writes the converted code data in a specific area of the storage device.   15. The file processing method according to claim 14, wherein the specific area is an area that isolates a virus-infected file from a file that does not contain a virus.   16. The file processing method according to claim 13, wherein the conversion step sets the virus-infected file to an inexecutable state.   The file processing method according to claim 13, further comprising a management step for managing the converted code data.   18. The file processing method according to claim 17, wherein the management step deletes the converted code data.

Images