JP2011100329A - Computer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a computer for detecting any virus infecting a system area such as MBR (Master Boot Record) before an OS starts, and restricting (or prohibiting) the use of the computer in an environment that does not satisfy environmental conditions set in advance. <P>SOLUTION: In a PC with an encryption hardware module and an encryption hard disk which are defined by TCG (Trusted Computing Group), a BIOS (Basic Input/Output System) calculates a hash value of a program in an accessible area without authentication of the encryption hardware, stores the hash value in the encryption hardware module and supplies it to the program. The program performs an authentication process for the hard disk, and performs a virus check after the authentication. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to virus detection and use restriction of a personal computer (hereinafter referred to as a PC) equipped with a hard disk based on the Storage WG standard of the Trusted Computing Group (TCG).

One type of computer virus is infected with Master Boot Recode (MBR).
The MBR is a program that is processed when the computer is started, and neither the OS nor the existing anti-virus program is activated, and it is generally difficult to detect viruses. As one of the solutions, there is a virus removal method as disclosed in Patent Document 1.
On the other hand, as a hardware for realizing security on a PC, a security chip Trusted Platform Module (TPM) that performs encryption as listed in Non-Patent Document 1 defined by the Trusted Computing Group (TCG) that defines security-related industry standards There are industry standards for encryption disks and non-patent literature 2 for encryption disks.

Japanese Patent Laid-Open No. 11-085503

Trusted Computing Group, TCG Specification, Architecture Overview, Specification, Revision 1.4, 2nd August 2007, p6-p19

Trusted Computing Group, TCG Storage Architecture, Core Specification, Specification Version 1.0, Revision 0.9, May 24, 2007, p71-p77

In the technique disclosed in Patent Document 1, it is necessary to use special hardware including a gate, a ROM, and the like, and problems remain in introduction and cost. As a virus detection method, a virus check program in the disk unit is used. However, depending on the virus attack method, this program may be destroyed or startup may be hindered. Absent.
Further, in the techniques disclosed in Non-Patent Documents 1 and 2 described above, it is described that the encryption disk is used or the processing of the program is taken over using a security chip that is special hardware. It is not specifically described how to detect a virus infected with MBR.

An object of the present invention is to provide a computer that can detect a virus that infects a system area such as MBR before an OS (operating system) is started.
Another object of the present invention is to provide a computer capable of restricting (or prohibiting) use of a computer in an environment other than preset environmental conditions together with detection of a virus.

In order to achieve the above object, the computer according to the present invention uses a security chip called TPM and an encrypted hard disk standardized by TCG and can be used in a system area such as an MBR, an OS, and a memory without special hardware. Infected virus is detected when the PC is started.
Specifically, a cryptographic hardware module that decrypts encrypted data with an internal key, and outputs a decryption result when a condition value included in the decrypted data matches an internal register value, and a program to access In a computer equipped with a hard disk divided into a first area that can be accessed after authenticating with a legitimate program and a second area that can be accessed without authentication,
The computer startup program calculates the hash value of the second area accessible without authentication of the hard disk, stores it in the internal register of the cryptographic hardware module, and loads the second area program into the memory. The program in the second area to which the process has been delivered performs authentication processing on the hard disk, obtains authentication that it is a regular program, accesses the first area, and The program in the area is loaded into the memory.
Further, the program in the second area performs authentication processing on the hard disk by sending a password included in the program to the hard disk.
In addition, the program in the second area sends the encrypted data included in the program to the cryptographic hardware module, and the cryptographic hardware module decrypts the decrypted data with the key inside. The condition value and the hash value of the second area stored in the internal register are compared, and if they match, the decoded data is output, and the decoded data is received by the program in the second area, The authentication process for the hard disk is performed by sending the password included in the hard disk to the hard disk.
In addition, the program in the second area sends the encrypted data included in the program to the cryptographic hardware module, and the cryptographic hardware module decrypts the decrypted data with the key inside. The condition value and the hash value of the second area stored in the internal register are compared, and if they match, the key included in the decrypted data is stored inside, the handle of this key is output, and the second A program in the area receives the handle, and performs authentication processing on the hard disk using the key in the cryptographic hardware module based on the handle.
In addition, after the program in the second area calculates the hash value of the program in the first area after authenticating the hard disk and stores the hash value in the internal register of the cryptographic hardware module, the program is stored in the memory. The program that has been loaded and handed over and the process handed over continues processing.
Further, the program to which the process has been delivered performs a virus inspection of the first area.
In addition, the program handed over the processing inquires the activation monitoring server whether the activation is possible, and when the server cannot be accessed or is denied even if it can be accessed, an error is displayed and the subsequent processing is stopped. Features.

After booting the PC, before the OS is booted, the program in the Shadow MBR, which is an area that can be accessed without authentication to the hard disk by the BIOS, is started, and after checking that this program has not been tampered with, the virus scan of the hard disk Therefore, even if a system area such as MBR is infected with a virus before the OS is started, it can be detected reliably and the countermeasure can be executed before the OS is started.
Further, if authentication is performed on the hard disk, authentication can be performed only with a specific TPM, and even if the hard disk is attached to another PC for activation, the authentication fails, the activation cannot be performed, and the disk cannot be accessed.
Further, in order to check whether or not the Shadow MBR hash value recorded in the internal register of the TPM is correct when decrypting the data, the altered Shadow MBR cannot authenticate the hard disk and cannot start the PC.
Furthermore, apart from virus inspection, the usage environment conditions are set, and if they do not match the preset usage environment conditions, the activation of the PC may be limited by time, number of times, location, etc. it can.

1 is an overall configuration diagram showing an embodiment of the present invention. It is explanatory drawing explaining operation | movement after starting of PC by this invention. It is a flowchart which shows the process from BIOS at the time of PC starting to MBR. It is a flowchart which shows the process in the case of decoding a password by TPM and authenticating to a hard disk. It is a flowchart which shows the process in the case of authenticating to a hard disk using the public key encryption function of TPM. It is a flowchart which shows PC starting restrictions.

Hereinafter, the present invention will be described in detail based on illustrated embodiments.
FIG. 1 is an overall configuration diagram showing an embodiment of a PC to which the present invention is applied.
In FIG. 1, reference numeral 101 denotes a PC CPU. Reference numeral 102 denotes a TPM. Usually, it is on the same motherboard as the CPU, and is considered to be integrated with the CPU and PC. Reference numeral 103 denotes a memory. A program executed by the CPU 101 is loaded into the memory 103 and executed. Reference numeral 104 denotes a BIOS program. The entity is recorded on the ROM and is directly executed without being loaded into the RAM (memory) 103. Reference numeral 105 denotes a hard disk. This hard disk complies with Non-Patent Document 2 and can only read the Shadow MBR at startup. If the authentication is successful, the mode can be shifted to a mode that can access the Shadow MBR, or the mode can be shifted to a mode that can access the hard disk including the MBR.
Reference numeral 108 denotes an MBR at address 0 after authentication on the hard disk 105. Normally, the MBR stores a bootstrap code and a partition table.
Reference numeral 109 denotes a Shadow MBR at address 0 immediately after the activation on the hard disk 105. Here, the processing program which is the center of the present invention is included.

First, before explaining the operation of the embodiment, an outline of PC activation, TPM standardized by TPG, and Shadow MBR will be explained.
The procedure for starting up the PC is roughly as follows.
When the power is turned on, BIOS (Basic I / O system) tests and initializes the hardware, loads the program in the MBR into the memory (RAM), and takes over the processing. The program that took over the process searches the partition table, loads the boot sector in the designated partition into the memory, and takes over the process. The program in this boot sector loads the OS loader and takes over the processing. The OS loader loads the OS into the memory and starts the OS.

  As described above, when the PC is started up, the BIOS, MBR program, the program in the partition, the OS loader, and the OS are successively loaded into the memory, and control is transferred. In order to ensure the reliability of the program on the PC, the TCG stipulates that the program calculates the hash value of the program to which control next passes, records the result in a register in the TPM, and passes control. According to this method, if the program in the first BIOS can be trusted, it can be confirmed that the OS and applications are also reliable programs without falsification.

A secure hard disk Shadow MBR described in Non-Patent Document 2 will be described.
In the Shadow MBR, the MBR of the hard disk in the initial state when the PC is started is different from the MBR in the conventional sense. Until now, a secure hard disk or encrypted hard disk required a password to start the PC. In other words, an authentication password is required to access the hard disk when the PC is started, and the user has entered it. The hard disk itself was encrypted, and the disk including MBR could not be accessed unless the hard disk drive was successfully authenticated.
On the other hand, as user authentication methods, methods using biometrics such as fingerprints and methods using cryptographic tokens in addition to passwords are beginning to become widespread, and it is expected that similar methods will be required for authentication against hard disks. Is done. However, in comparison with password authentication, biometric authentication and authentication using a cryptographic token are complicated in processing and large in program size. As shown in the outline of PC startup, the BIOS performs the process before accessing the hard disk. However, the BIOS is complicated and has a program size limit to perform a large process.
In Non-Patent Document 2, which is a new standard for TCG, when the hard disk at the time of PC startup is in the initial state, there is a Shadow MBR with a large size at the position of the conventional MBR, and authentication to the hard disk has succeeded. The original MBR can be accessed for the first time. The authentication program for biometric authentication and cryptographic token is stored in the Shadow MBR, and is called from the BIOS to execute the authentication process. After successful authentication, the original MBR can be accessed and can be started as usual. .

  The present invention uses the above two TCG technologies to safely detect a virus when the PC is started. That is, the BIOS calculates the hash value of the Shadow MBR, stores it in the TPM, loads the program on the Shadow MBR into the memory, and passes the processing. The Shadow MBR program performs authentication processing on the hard disk, and when the original MBR becomes accessible, it searches for viruses including the MBR. If no virus is detected, the program in the MBR is Load to memory and take over processing.

There are a plurality of authentication processing methods performed on the hard disk by the program in the Shadow MBR.
The first authentication method is a method in which a password is simply included in a program, which is sent to a hard disk for authentication. If the password is correct, the hard disk determines that the correct PC or program on the PC is accessing, and shifts to a mode in which the hard disk including the original MBR can be accessed.

  The second authentication method is a method in which a password encrypted by using the TPM_Unseal command of the TPM is decrypted by the TPM and this password is used. At the time of this decryption, the TPM checks whether the hash value of the Shadow MBR calculated by the BIOS and stored in the TPM is correct. Therefore, the decrypted Shadow MBR cannot be decrypted. Can not. Whether or not the hash value is correct can determine the state of the PCR that is a condition for decryption when the password is encrypted with the TPM_Seal command.

  The third authentication method is a public key encryption based method using a signature function in a TPM or an authentication token. The key used for the signature is previously encrypted using the TPM_CreateWrapKey command. The Shadow MBR uses the TPM_LoadKey2 command to decrypt this data in the TPM, and uses the signature generated by the TPM using this key for authentication to the hard disk. This command is also decrypted after confirming whether the hash value of the Shadow MBR is correct, that is, whether the Shadow MBR has been tampered with, as in the previous TPM_Unseal.

There are also multiple virus scanning methods.
First, the Shadow MBR has a network function and searches for a virus in the hard disk while referring to a virus pattern outside the PC.
Secondly, the hash value of the hard disk corresponding to the system part is calculated and compared with the hash value of the Shadow MBR or the hash value outside the PC via the network. It is a trick.
A third method is to download an image of a system that does not contain the latest virus from a network and copy it to a hard disk.

  Using Shadow MBR, in addition to detecting viruses or tampering, it tests whether Shadow MBR can access a specific server on the in-house network. If it is not accessible, it judges that the PC has been taken outside the company. By stopping the PC activation process, it is possible to prevent the use of the PC outside the company. In addition, the Shadow MBR can inquire whether the PC can be activated to the specific server, or can be stopped if the activation time is outside the permitted activation time inquired to the time server and recorded in the activation permitted time. In addition, the number of PC activations can be recorded in the Shadow MBR to limit activation.

FIG. 2 is an explanatory diagram showing an outline of the operation of the computer according to the present invention.
First, an MBR 108 that performs OS boot processing is stored in a first area that is accessible after authentication of the hard disk 105. Also, a Shadow MBR 109 for performing hard disk authentication processing and virus detection is stored in the second area accessible without authentication of the hard disk 105.
The Shadow MBR 109 is activated by the BIOS 104 via the control switches 111 and 110 before the OS is activated and before the hard disk is authenticated. The activated Shadow MBR 109 sends to the TPM 102 encrypted data (encrypted using the TPM_Seal command of the TPM 102) including condition values such as a password for hard disk authentication and a hash value of the Shadow MBR 109.
In the internal register of the TPM 102, the hash value of the Shadow MBR 109 calculated by the BIOS 104 is stored in advance as a condition value.
Therefore, when encrypted data is sent from the Shadow MBR 109, the TPM 102 decrypts the encrypted data with the internal key. Then, the decrypted condition value is compared with the condition value stored in the internal register, and if they match, the decrypted password is returned to the Shadow MBR 109. That is, if the Shadow MBR 109 has not been tampered with, the hash values should match, so the decrypted password is returned to the Shadow MBR 109.

The Shadow MBR 109 that has received the decrypted password sends the password to the hard disk 105. If the hard disk 105 matches the password set in itself, the hard disk 105 is regarded as an access from a legitimate program, and the MBR 108 stored in the first area becomes accessible. The control switch 110 is switched.
When the process moves to the MBR 108, the OS boot process is executed, and the control switch 111 is further switched to load the OS into the RAM 103.

FIG. 3 shows an outline of the virus detection process after the PC is started.
In step 310, the BIOS 104 program started after the CPU test is started. When activated, the hardware is tested and initialized. If there is no problem, the hash value of the entire Shadow MBR 109 on the hard disk 105 is calculated, the result is stored in the internal register of the TPM 102, and the program on the Shadow MBR is stored in the memory. 103 and pass control.
This process is a process immediately after startup, and the address 0 of the hard disk 105 is the Shadow MBR 109. If the authentication to the hard disk 105 is successful, the address 0 becomes the conventional MBR 108.
Note that the TPM 102 stores the hash value in a register called TPM's Platform Credential Register (PCR). There are a plurality of registers, and their usage differs depending on the system. However, in the present invention, since only the hash value of the Shadow MBR is focused on, it will be described assuming that there is only one PCR, but this narrows the scope of claims of the present invention. It is not a thing.

In step 320, authentication processing for the hard disk 105 is performed. There are a plurality of authentication processing methods, which will be described later. If the authentication process fails, the user is notified of the fact and the process is stopped.
In step 330, the authentication process for the hard disk 105 has been successful, and the entire hard disk 105 including the MBR 108 can be accessed except for the Shadow MBR 109. The program in the Shadow MBR on the RAM 103 performs a virus search on the hard disk. If a virus is found, it notifies the user and stops the process.
In step 340, the bootstrap code of the MBR 108 at address 0 of the hard disk 105 is loaded into the memory 103 and control is passed. The subsequent processing is the same as normal PC activation, and is out of the scope of the present invention.

Here, the authentication process for the hard disk 105 performed in step 320 will be described.
As a first authentication method, there is simple password authentication. In this method, authentication is performed by transmitting the password in the Shadow MBR 109 to the hard disk. This method is not recommended because the Shadow MBR 109 can be read if the hard disk is connected to a PC that is not the boot disk, and the password may be stolen if the program is analyzed.
The following second and third authentication methods solve this problem and can be performed only by a specific PC on which a specific TPM 102 is mounted. That is, even if connected to another PC, this is a very secure authentication method that does not work if the TPM is another TPM.

As a second authentication method, there is password authentication combined with TPM, which will be described with reference to FIG.
In step 410, the Shadow MBR 109 sends the encrypted data including the password to the TPM 102. Specifically, the TPM standard TPM_Unseal command is used. The following steps 420 to 440 are a part of the operation of the TCG standard TPM, and only the part related to the present invention will be described.
In step 420, the TPM 102 decrypts the received encrypted data using a key accessible only within the TPM 102.
In step 430, the TPM 102 compares the portion related to the PCR information in the decoded data with the current PCR state. If they do not match, an error is returned and the process is terminated.
In the present invention, the current PCR contains the hash value of Shadow MBR 109 described in step 310 and should match.
In step 440, if the PCR information matches, the TPM 102 sends the decrypted password back to the Shadow MBR 109.
In step 450, the Shadow MBR 109 transmits the password received from the TPM 102 to the hard disk for authentication.
Note that the encrypted data sent by the Shadow MBR 109 to the TPM 102 in step 410 is created using the TPM_Seal command. That is, the password is encrypted with the key in the TPM 102, but the decryption condition using the TPM_Unseal specifies that the PCR holds the hash value of the Shadow MBR and encrypts it using the TPM_Seal. is there. For this reason, in step 430, the TPM 102 checks the PCR status.

This method is much safer than the first method. This is because the conditions that can be decrypted are limited to the PC on which the corresponding TPM 102 is mounted, and the decryption is performed only when the specific PCR state, that is, the hash value of the MBR is specific. As a result, the computer is activated only by a combination of a specific PC and a specific hard disk, and even if the hard disk is connected to another PC, authentication to the hard disk fails and access is impossible.
However, an attacker who has a device that can access data exchanged between the PC, memory, TPM, and hard disk may have the password stolen. The next third method is to prevent this, and the safety is further improved.
When using this authentication method, the hash value of the Shadow MBR is not simply obtained as a whole hash value, but the BIOS 104 calculates the hash value by masking the encrypted data portion.

Note that authentication similar to this method can be performed using an authentication token instead of the TPM. In other words, the password is encrypted with the authentication token key, which is stored in the program of the Shadow MBR 109, decrypted using the authentication token at the time of hard disk authentication, and the password is extracted and sent to the hard disk. However, this method is not recommended because if the hard disk is connected to another PC, the encrypted data on the Shadow MBR 109 is taken out and passed to the authentication token, the password may be stolen.
The above is the second authentication method in step 320.

As a third authentication method, there is authentication using public key cryptography combined with the TPM 102, which will be described with reference to FIG.
In step 510, the Shadow MBR 109 sends the encrypted data including the secret key to the TPM 102. Specifically, the standard TPM_LoadKey2 command of the TPM 102 is used. The following steps 520 to 540 and 580 are a part of the operation of the TCG standard TPM, and step 560 is a part of the operation of the TCG Storage compliant hard disk. Only the part related to the present invention will be described.
In step 520, the TPM 102 decrypts the received encrypted data using a key available in the TPM.
In step 530, the TPM 102 decodes and compares the part related to the PCR information in the data with the current PCR state. If they do not match, an error is returned and the process is terminated. In the present invention, the current PCR contains the hash value of the Shadow MBR 109 described in step 310 and should match.
In step 540, if the PCR information matches, the TPM 102 sets the decrypted secret key in the TPM 102 so that it can be used in the following processing, and sends the handle of this key back to the Shadow MBR 109.

In step 550, the Shadow MBR 109 notifies the hard disk 105 to start authentication after receiving the handle of the secret key from the TPM 102. Specifically, the StartSession method is activated.
In step 560, a random number required for authentication is generated and sent back to the Shadow MBR 109.
In step 570, the Shadow MBR 109 receives the random number and sends it to the TPM 102 to generate a signature for this data. Specifically, a TPM_Sign command is used. At this time, the handle received in step 550 is used.
In step 580, the TPM 102 generates a signature and sends it back to the Shadow MBR 109.
In step 590, the Shadow MBR 109 sends the signature received from the TPM 102 to the hard disk 105 for authentication.

Note that the encrypted data sent by the Shadow MBR 109 to the TPM 102 in step 510 is created using the TPM_CreateWrapKey command. That is, the private key is encrypted with the key in the TPM 102, but the decryption condition using the TPM_LoadKey2 specifies that the PCR holds the hash value of the Shadow MBR, and the result is encrypted using the TPM_LoadKey2. It is.
When using this authentication method, the hash value of the Shadow MBR 109 is not simply obtained as a whole hash value, but the BIOS 104 calculates the hash value by masking the encrypted data portion.

Next, an outline of virus search performed in step 330 will be described.
As a first virus search method, a virus pattern is held in the same manner as in the existing virus search method, and a search is made for the presence of this pattern on the hard disk 105. Since there are enormous amounts of patterns and cannot be stored in the Shadow MBR 109, a pattern is downloaded via the network, downloaded to the memory 104, stored in the memory 104, and searched.

  As a second virus search method, the entire hard disk 105 is not searched, but only an important part such as a system is searched. As an example of an important part, there is a method in which only a part corresponding to a host machine or a hypervisor is searched for a virus instead of a guest machine in a system using a virtualization technology. In addition, only the kernel part of the OS can be considered. As a search method, it is common to search for a virus pattern as in the first method.

  As a third virus detection method, there is a method in which a disk image guaranteed not to contain a virus is downloaded from a server via a network and copied to a hard disk instead of performing a search. There is also a method of copying only the system part such as the OS and the hypervisor instead of copying the entire hard disk.

Details of the PC activation restriction process that can be executed simultaneously with the virus search will be described with reference to FIG.
In most cases, the attack by a virus is infected by a virus before the PC user notices it, but the activation restriction limits the activation of the PC by the unauthorized or carelessness of the PC user himself / herself. As an example in which activation is limited, in the present embodiment, an example is shown in which activation outside the in-house network and activation exceeding the permitted number of activations outside the company are limited. Here, it is assumed that the activation permission count is held in a specific area of the Shadow MBR 109. This specific area is outside the hash value calculation by the BIOS program as in the second authentication method.

In step 610, as in step 320, the program in the Shadow MBR 109 performs authentication processing on the hard disk 105, and shifts to the rewritable mode of the Shadow MBR 109.
If it is determined in step 620 that the number of permitted activations recorded in the Shadow MBR 109 is 1 or more, the process jumps to step 630. If the activation permission count is 0, the activation is prohibited in principle and the server is inquired whether the activation is still possible.
In step 630, the number of times the Shadow MBR 109 is permitted to start is reduced by one, and the process jumps to step 640.

In step 640, the mode shifts from the Shadow MBR rewritable mode to the rewrite prohibit mode, loads the bootstrap code of the MBR 108 into the memory 103, passes control, and performs normal boot processing.
In step 650, the mode is shifted from the Shadow MBR rewritable mode to the rewrite prohibition mode, and the activation is stopped. At this time, a message is displayed on the display indicating that the operation has been stopped without permission.
In this embodiment, the activation permission number is recorded in the Shadow MBR. However, since the Shadow MBR may be falsified, the number of activations of the Shadow MBR is always set to 0 in order to prevent this. The server may be inquired. Further, instead of the Shadow MBR, it may be recorded in an MBR accessible after authentication. As another countermeasure, after confirming that the Shadow MBR has not been tampered with, re-encrypt the Shadow MBR by re-encrypting the encrypted data including the password, key, and PCR information with the TPM_Seal command and the TPM_CreateWrapkey command. Anyway.

101: CPU
102: TPM
103: Memory 104: BIOS
105: Hard disk 108: MBR accessible after authentication to the hard disk
109: Shadow MBR accessible before authentication to hard disk

Claims (7)

A cryptographic hardware module that decrypts encrypted data with an internal key and outputs a decryption result when the condition value contained in the decrypted data matches the value of the internal register, and the program to be accessed is a regular program In a computer equipped with a hard disk divided into a first area that can be accessed after authentication and a second area that can be accessed without authentication,
The computer startup program calculates the hash value of the second area accessible without authentication of the hard disk, stores it in the internal register of the cryptographic hardware module, and loads the second area program into the memory. The program in the second area to which the process has been delivered performs authentication processing on the hard disk, obtains authentication that it is a regular program, accesses the first area, and A computer which loads a program in the area of the memory into a memory.   The computer according to claim 1, wherein the program in the second area performs authentication processing on the hard disk by sending a password included in the program to the hard disk.   The program in the second area sends the encrypted data contained in the program to the cryptographic hardware module, the cryptographic hardware module decrypts the encrypted data with the key inside, and the decrypted condition value Are compared with the hash value of the second area stored in the internal register, and if they match, the decoded data is output. The decoded data is received by the program in the second area and included in the decoded data. The computer according to claim 1, wherein authentication processing for the hard disk is performed by sending the stored password to the hard disk.   The program in the second area sends the encrypted data contained in the program to the cryptographic hardware module, the cryptographic hardware module decrypts the encrypted data with the key inside, and the decrypted condition value Is compared with the hash value of the second area stored in the internal register, and if they match, the key included in the decrypted data is stored inside, the handle of this key is output, and the second area is stored. The computer according to claim 1, wherein a given program receives the handle and performs authentication processing on the hard disk using a key in the cryptographic hardware module based on the handle.   The program in the second area calculates the hash value of the program in the first area after authenticating the hard disk, stores it in the internal register of the cryptographic hardware module, and then loads the program into the memory The computer according to claim 1, wherein the program is handed over, and the program handed over the process continues processing.   The computer according to claim 5, wherein the program to which the process has been delivered performs a virus inspection of the first area.   The program handed over the processing inquires the activation monitoring server whether or not activation is possible, and if the server cannot be accessed or can be accessed but does not match the preset usage environment conditions, an error is displayed and the subsequent processing is performed. The computer according to claim 5, wherein the computer is stopped.

Images