JP2019125243A - Malware detecting system and malware detecting method - Google Patents

Abstract

To provide a system for and a method of analyzing and detecting malware in the same environment as that of a user with a limited resource.SOLUTION: A malware detecting system for analyzing a file attached to an email has a mail server for receiving an email including an attached file addressed to a client terminal and for selecting a kind of a sandbox environment based on information included in the received email to transmit the selection result and the attached file for analysis in the sandbox environment, and a sandbox management apparatus for receiving the selection result and the attached file transmitted by the mail server and for executing the received attached file, in accordance with the received selection result, in a clone sandbox environment established by using an environment of the client terminal or a standard sandbox environment established without utilizing the environment of the client terminal, thereby analyzing the attached file.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a malware detection system and a malware detection method.

  Organizations such as companies generally use the Internet to transmit and receive information in order to work in cooperation with other organizations. On the other hand, there are malicious users on the Internet, and if they receive emails with malicious programs such as malware sent from those users and execute them without being aware of their maliciousness, they will be sent outside the organization. It may cause information leakage and system down in the organization.

  As a countermeasure against such a malicious program, a technology for detecting and eliminating file patterns is used. Such techniques are effective for known malicious programs, but it is difficult to detect and eliminate unknown or new kinds of malignant programs.

  In addition, there is also a method of preparing an environment which is not damaged even if a malignant program is executed, and to execute a file having a possibility of the malignant program to confirm the operation. A representative example of such a method is a technique of executing a file to be analyzed in an externally isolated virtual machine environment called a sandbox shown in Patent Document 1.

JP, 2017-129893, A

  In the sandbox shown in Patent Document 1, a virtual machine adapted to the user environment is selected and used, but an environment identical to the user environment can not be provided. Since there is a similar environment, there is still the possibility that reliable detection of environment-dependent malware is not possible.

  Therefore, an object of the present invention is to provide a system and method for analyzing and detecting malware in the same environment as the user environment, with limited resources.

  In the present invention, in order to solve the above problems, in a malware detection system for analyzing an attached file of an email, a client terminal is addressed, an email including an attached file is received, and a sandbox is received based on the information included in the received email. A mail server that selects the type of environment, sends selection results and attachments for analysis in a sandbox environment, receives the selection results and attachments sent from the mail server, and receives selection Execute the received attachment in a clone sandbox environment built using the environment of the client terminal or a standard sandbox environment built without using the environment of the client terminal according to the result of And a sandbox management apparatus for analyzing the information.

  According to the present invention, it is possible to provide a system and method for analyzing and detecting malware in the same environment as the user environment, with limited resources.

FIG. 1 illustrates an example of a malware detection system. It is a figure which shows the example of the table for analysis determination. It is a figure which shows the example of a terminal management table. It is a figure which shows the example of a sandbox management table. It is a figure which shows the example of the processing flow of sandbox environment selection. It is a figure which shows the example of the processing flow of analysis using the selected sandbox environment.

  Hereinafter, an embodiment of a malware detection system by a sandbox using a clone according to the present invention will be described as an example using the drawings.

  FIG. 1 is a diagram illustrating an example of a sandbox malware detection system using a clone according to one embodiment. As shown in FIG. 1, the malware detection system has a mail server / determination device 111 and a sandbox management device 121, and these devices and the client terminal 101 are connected by a network.

  In the example of FIG. 1, there are a plurality of client terminals 101, and there are one mail server and judgment device 111 and one sandbox management device 121, but the mail server and judgment device 111 and sandbox management device 121. Each of may be plural. Further, the mail server / determination device 111 and the sandbox management device 121 may be one device. Furthermore, the network may be wired or wireless.

  The mail server / determination device 111 has a mail reception unit 114 that executes mail processing, an attached file analysis unit 115, and a mail transmission unit 116, and an analysis determination table 117 in which information is stored and a terminal management And a table 118.

  The mail server / determination device 111 may be a general computer. In this case, there are programs (not shown) corresponding to the processing contents of the mail reception unit 114, the attached file analysis unit 115, and the mail transmission unit 116, and the arithmetic unit 112 executes these programs to perform calculations. An apparatus 112 is a unit.

  The analysis determination table 117 and the terminal management table 118 are stored in the storage device 113 as a DB (Data Base). Here, the computing device 112 may be a central processing unit (CPU), and the storage device 113 may be a memory, a hard disk drive (HDD), or a solid state drive (SSD).

  The mail server / determination device 111 may have hardware other than the arithmetic device 112 and the storage device 113, and may have, for example, a network adapter. Then, a network adapter may be included in part of the mail reception unit 114 and the like.

  The mail reception unit 114 transmits the mail transmitted to the client terminal 101 from the outside of the malware detection system or from the client terminal 101 so that the mail server / determination device 111 becomes the mail server of the client terminal 101. It is received before the terminal 101.

  Note that the mail receiving unit 114 may receive a mail sent from the client terminal 101 to the outside of the malware detection system in order that the mail server / determination device 111 will be the mail server of the client terminal 101.

  The attached file analysis unit 115 analyzes the mail received by the mail reception unit 114, and executes the attached file in either a sandbox environment using a clone or a standard sandbox environment based on the analyzed information. The type of sandbox is selected, and information necessary for execution of attached file such as information of the selected type and attached file is transmitted to the sandbox management apparatus.

  The e-mail transmission unit 116 transmits the analyzed e-mail to the client terminal 101 of the e-mail destination based on the analysis result by the execution in the sandbox environment received from the sandbox management apparatus 121 or does not transmit it. Cut off.

  The analysis determination table 117 is a table that associates information on an attached file with information on a sandbox environment, and the terminal management table 118 is a table of a destination e-mail address and information on a terminal corresponding to the destination e-mail address. These tables are further described using FIGS. 2A and 2B.

  The client terminal 101 is an information terminal used by a user, and is an information device such as a general computer or tablet having an e-mail function for transmitting and receiving e-mail. The client terminal 101 is an information device capable of executing a (program) file, and can execute an attached file of a received mail.

  An individual environment 103 is provided as a file execution environment of the client terminal 101. The individual environment 103 is an environment that may be different for each of the plurality of client terminals 101, and is, for example, setting of a program or library for executing a file or parameters.

  If the table data file contains a macro or embedded program, a spreadsheet program is required to execute it, but the individual environment 103 also includes that such a spreadsheet program is installed. Also, the installed version of such a spreadsheet program is included in the individual environment 103.

  If the platform 102 is a hypervisor for a virtual environment, as described below, the individual environment 103 may be an image file of a virtual machine running on the hypervisor.

  The individual environment 103 is built on the platform 102. The platform 102 may be a hypervisor for a virtual environment, or may be a hardware resource of the client terminal 101. However, it is preferable that the individual environment 103 be a platform 102 that is only a software resource.

  Further, preferably, the platform 102 provides a common interface to the individual environments 103 in a plurality of client terminals 101. If the difference between the client terminal 101 and the sandbox management apparatus 121 can be absorbed other than the platform 102, the platform 102 may be omitted.

  The sandbox management apparatus 121 has a clone environment construction unit 124 and a sandbox management unit 125 that execute processing related to the sandbox, and a clone sandbox environment 131 in which a program or data is stored, a sandbox management table 127, , A standard sandbox environment 126.

  The sandbox management device 121 may be a general computer. In this case, there are programs (not shown) corresponding to the processing contents of the clone environment construction unit 124 and the sandbox management unit 125, respectively, and the arithmetic device 122 executes these programs, whereby the arithmetic device 122 becomes each part.

  In addition, the clone sandbox environment 131, the sandbox management table 127, and the standard sandbox environment 126 are stored in the storage device 123. Here, the computing device 122 may be a CPU, and the storage device 123 may be a memory or an HDD or an SSD.

  The sandbox management device 121 may have hardware other than the computing device 122 and the storage device 123, and may have, for example, a network adapter. Then, a network adapter may be included as part of the sandbox management unit 125 or the like. Also, the platform 132 may have the same hardware as the client terminal 101.

  The sandbox management unit 125 selects either the clone sandbox environment 131 or the standard sandbox environment 126 based on the type of sandbox transmitted from the attached file analysis unit 115 and transferred from the attached file analysis unit 115 Send incoming mail attachments to sandbox environment.

  Here, when the sandbox management unit 125 selects the clone sandbox environment 131, based on the IP address information of the client terminal 101 as the destination of the received mail transferred from the attached file analysis unit 115, the corresponding clone sand Select the box environment 131 and send the attached file.

  The attachment of the attached file from the sandbox management unit 125 to the clone sandbox environment 131 may be sent via the clone environment construction unit 124 or may be sent directly.

  The clone sandbox environment 131 has the same execution environment as the client terminal 101, and the standard sandbox environment 126 has a plurality of execution environments, and each executes the attached file sent from the sandbox management unit 125. Analyze.

  The clone sandbox environment 131 realizes the same execution environment as the client terminal 101 by having the same individual environment 133 as the individual environment 103 of the client terminal 101. The platform 132 of the clone sandbox environment 131 provides an interface in common with the interface to the individual environment 103 of the platform 102 of the client terminal 101.

  Also, the platform 132 may be a hypervisor or may include the same hardware resources as the client terminal 101. However, the platform 132 may not be identical to the platform 102 of the client terminal 101 as long as the interface to the individual environment 133 is common.

  Furthermore, when the platform 102 of the client terminal 101 is fixed, such as when the client terminal 101 is connected to the network, the platform 132 is preferably built in the sandbox management device 121. If the client terminal 101 does not have the platform 102, the platform 132 may not be present.

  When the sandbox management unit 125 receives the information from the attached file analysis unit 115, if the clone sandbox environment 131 has not been constructed, the sandbox management unit 125 sends the clone environment construction unit 124 the terminal of the destination terminal of the received mail. Send IP address information and build a clone sandbox environment 131.

  For this purpose, the clone environment construction unit 124 copies the individual environment 103 from the client terminal 101 based on the IP address information by acquiring it via the network, and constructs the cloned sandbox environment 131 with the copied one as the individual environment 133. Do. Thereby, the same execution environment as the client terminal 101 is realized.

  The standard sandbox environment 126 may be an environment in which only an operating system (OS) is installed, or an environment in which only basic application programs are further installed. In contrast to the construction of the clone sandbox environment 131, the standard sandbox environment 126 may be an environment constructed without using the environment of the client terminal 101 (individual environment 103).

  The sandbox management apparatus 121 may have a plurality of standard sandbox environments 126 of the same environment, and the sandbox management unit 125 may sequentially distribute the attached file to each of the plurality of standard sandbox environments 126.

  The mail server / determination apparatus 111 may be a modification of an existing mail server. In this sense, the mail server / determination apparatus 111 may be referred to as a mail server. The malware detection system may be referred to as a mail system since it is a system that processes mail.

  2A-2C illustrate an example of data used within a malware detection system. The analysis determination table 117 illustrated in FIG. 2A includes an ID 201 which is an identifier, a format 202 of an attached file, and a sandbox type 203 corresponding to the attached file.

  For example, when the ID 201 is "001", the attached file format 202 stores ". Xxx", and the corresponding sandbox type 203 stores "clone sandbox", and when the ID 201 is "002" and "003", the attached file “Standard sandbox” is stored as the sandbox type 203 corresponding to the format 202 “.yyy” and “.zzz”.

  As a result, the analysis determination table 117 is information that allows the sandbox type 203 to be selected based on the attached file format 202. In this example, “. Xxx” of the attached file format 202 is an extension of the file name of the attached file, but the attached file format 202 is an example and may be other information of the attached file.

  In addition, the present invention is not limited to the information of attached file, but it is a sandbox and information other than the attached file format 202 shown in FIG. The type 203 may be associated. Then, the type of sandbox environment may be selected based on the information.

  Information may be stored in advance in the analysis determination table 117, or obtained from information obtained via the network or from an input device (not shown in FIG. 1) while the mail server / determination device 111 is in operation. The stored information may be stored.

  The terminal management table 118 shown in FIG. 2B includes an ID 211 which is an identifier, a mail address 212 which is a mail address of the client terminal 101, and a terminal IP address 213 of the client terminal 101 corresponding to the mail address of the mail address 212. .

  The terminal management table 118 stores information of the client terminal 101 in advance. For example, when the ID 211 is “001”, the terminal IP address 213 of the client terminal 101 whose mail address 212 corresponds to “aaa@example.com” is “192.168.10.1”.

  The sandbox management table 127 shown in FIG. 2C includes an ID 221 which is an identifier, a terminal IP address 222 which is an IP address of the client terminal 101, a sandbox IP address 223 which is an IP address of a corresponding sandbox environment, and a sandbox. It comprises a type 224 and a sandbox environment 225.

  The sandbox management table 127 stores information on the clone sandbox environment 131 and the standard sandbox environment 126. One identifier of the ID 221 is assigned to one sandbox environment, and one IP address of the sandbox IP address 223 is assigned. Therefore, each of the sandbox environments can be identified by the information of the ID 221 or the sandbox IP address 223.

  For example, when the ID 221 is "001", the sandbox IP address 223 of the clone sandbox corresponding to the terminal IP address 222 "192.168.10.1" is "10.10.10.1. “Clone sandbox” corresponds to the sandbox type 224, and the environment 225 is “the same environment” as the client terminal 101 of “192.168.10.1” of the terminal IP address 222.

  Also, when the ID 221 is "003", the sandbox type 224 is "standard sandbox", so there is no client terminal 101 corresponding to "10.10.20.1" of the sandbox IP address 223, so the terminal IP It does not have the information of the address 222.

  And, when the ID 221 is "003", it is information indicating that the environment 225 is installed with "OS Ver 1.0" as the OS, but the information of the environment 225 is an example, and the information of the application as information other than the OS Etc. may be included.

  The information on the clone sandbox environment 131 may not be stored in advance in the sandbox management table 127, and may be stored at the time of construction of the clone environment construction unit 124 according to the received mail. Alternatively, information other than the terminal IP address 222 may be stored in advance, and the IP address of the client terminal 101 to be constructed may be stored in the terminal IP address 222 when the clone environment construction unit 124 constructs it.

  The information on the standard sandbox environment 126 may be stored in advance in the sandbox management table 127, or may be stored when the standard sandbox environment 126 is established.

  FIG. 3A is a diagram showing an example of a processing flow of sandbox environment selection. The processing flow shown in FIG. 3A starts with the mail server / determination apparatus 111 receiving a mail with an attached file addressed to the client terminal 101 from the client terminal 101 or a mail server outside the malware detection system.

  In step 301, the mail receiving unit 114 of the mail server / determination apparatus 111 first receives a mail with an attached file. In step 302, the mail receiving unit 114 sends the received mail to the attached file analysis unit 115. In step 303, the attached file analysis unit 115 acquires attached file information and a destination e-mail address from the received e-mail information.

  In step 304, the attached file analysis unit 115 searches for information in the attached file format 202 that matches the attached file information acquired in step 303, and a sandbox corresponding to the information in the attached file format 202 found by the search Information of type 203 is acquired from the analysis determination table 117.

  Also, in step 304, the attached file analysis unit 115 searches the terminal management table 118 for information of the e-mail address 212 that matches the destination e-mail address acquired in step 303, and corresponds to the information of the e-mail address 212 found by the search. Information of the terminal IP address 213 is acquired from the terminal management table 118.

  By acquiring the information of the sandbox type 203, the attached file analysis unit 115 determines whether the attached file acquired in step 303 is an attached file that depends on the environment.

  In steps 305 and 306, the attached file analysis unit 115 uses the standard sandbox environment 126 (step 305) or the clone sand based on the result of the determination in step 304, ie, the information of the sandbox type 203 acquired from the analysis determination table 117. The box environment 131 (step 306) is selected.

  In the selection of steps 305 and 306, some information indicating the standard sandbox environment 126 or the clone sandbox environment 131 may be set. In addition, in steps 304, 305, and 306, the attached file analysis unit 115 may obtain information such as the sandbox type 203 instead of determination and selection, and may make the information available in step 307 described below.

  In step 307, the attached file analysis unit 115 instructs the sandbox management unit 125 of the sandbox management apparatus 121 about the information on the sandbox environment selected in step 305 or step 306, the information on the terminal IP address 213, and the step 301. Send the attached file of the mail received in.

  By the above processing, the sandbox management apparatus 121 receives the attached file to be analyzed from the mail server / determination apparatus 111. At this time, if the attached file requires a sandbox environment using a clone, such as an attached file depending on the environment, by executing steps 302 to 306, the clone sandbox environment 131 is selected, otherwise Can select a standard sandbox environment 126.

  In this way, the user can use the standard sandbox environment 126 among many client terminals 101 possessed, and if analysis in a more optimal environment is required, the clone sandbox environment is a limited resource. 131 can be used.

  FIG. 3B is a diagram showing an example of the processing flow of analysis using the selected sandbox environment. The processing flow shown in FIG. 3B starts where the sandbox management apparatus 121 receives the information on the selected sandbox environment, the information on the terminal IP address 213, and the attached file from the mail server / determination apparatus 111. I assume.

  In step 311, the sandbox management unit 125 receives the information on the selected sandbox environment, the information on the terminal IP address 213, and the attached file.

  In step 312, if the selected sandbox environment information indicates a clone sandbox environment, the sandbox management unit 125 selects an IP address that matches the information of the terminal IP address 213 received in step 311 in the sandbox management table 127. By searching with the terminal IP address 222, it is determined whether there is a sandbox environment to use.

  That is, when a matching IP address is found by searching the terminal IP address 222, the IP address of the sandbox IP address 223 corresponding to the found IP address is that of the clone sandbox environment 131 to be used. If it is determined that there is a sandbox environment to use, and a matching IP address is not found by the search, it is determined that there is no sandbox environment to use.

  Also, in step 312, if the selected sandbox environment information indicates the standard sandbox environment 126, the sandbox management unit 125 determines that there is a sandbox environment to be used because the standard sandbox environment exists. .

  If it is determined that there is no sandbox environment to be used, in step 313, the sandbox management unit 125 instructs the clone environment construction unit 124 to construct a sandbox environment. The clone environment construction unit 124 acquires a copy of the individual environment 103 from the client terminal 101 based on the information of the terminal IP address 213 received in step 311.

  Then, the clone environment construction unit 124 combines the acquired copy with the platform 132 as the individual environment 133 to construct a clone sandbox environment 131, and registers information on the constructed clone sandbox environment 131 in the sandbox management table 127. .

  The sandbox management unit 125 sends the attached file in step 314 to the clone sandbox environment 131 found by the search in step 312, the clone sandbox environment 131 constructed in step 313, or the standard sandbox environment 126. When a plurality of standard sandbox environments 126 are sent to the standard sandbox environment 126, they may be sent to be distributed to the plurality of standard sandbox environments 126 in order.

  The clone sandbox environment 131 or the standard sandbox environment 126 to which the attached file is sent executes the attached file, and sends the analysis result of the execution to the sandbox management unit 125. Here, the execution and analysis of the attached file are not features of the present embodiment, and thus detailed description will be omitted.

  In step 315, the sandbox management unit 125 transmits the analysis result to the mail transmission unit 116 of the mail server and determination apparatus 111.

  In step 316, the mail transmission unit 116 determines whether or not there is malicious behavior in the received analysis result, and when it is determined that malicious behavior is present, in step 318, transmission of the email is blocked and malicious If it is determined that there is no behavior, an e-mail is sent to the destination client terminal 101 at step 317.

  For this purpose, the sandbox environment itself that executed the attached file, or the sandbox management unit 125 detects malicious behavior and includes the content of the detection in the analysis result, and the mail transmission unit 116 is included in the analysis result The content of the detection may be determined in step 316.

  Alternatively, the sandbox environment itself analyzes the information of the behavior itself by the execution of the attached file as an analysis result, the sandbox management unit 125 simply transfers the analysis result, and the mail transmission unit 116 determines the maliciousness from the information of the behavior included in the analysis result. It may be determined at step 316 by detecting a certain behavior.

  By the above processing, the sandbox management apparatus 121 can execute and analyze the attached file of the received mail in the clone sandbox environment 131 having the same individual environment 133 as the individual environment 103 of the client terminal 101 of the destination of the received mail. .

  This makes it possible to detect the malware in the same environment as the real environment, if the attached file may contain malware that exhibits malicious behavior. And the threat of the malware to the client terminal 101 can be prevented.

  In addition, when resources of the sandbox management apparatus 121 can not be secured sufficiently for a large number of client terminals 101, an attached file not necessary up to the clone sandbox environment 131 may be executed and analyzed in the standard sandbox environment 126. As this becomes possible, it is possible to suppress missing of malware due to lack of resources.

  The clone sandbox environment 131 may be deleted in order to suppress an increase in unnecessary resources of the sandbox management apparatus 121 or to cope with changes in the individual environment 103 of the client terminal 101.

  For example, in step 315 shown in FIG. 3B, the sandbox management unit 125 deletes the clone sandbox environment 131 used to execute step 314 and deletes the deleted clone sandbox environment 131 in the sandbox management table 127. You may delete information about

  Such deletion at step 315 has an effect of matching the individual environment 103 of the client terminal 101 with the individual environment 133 of the clone sandbox environment 131 particularly when the individual environment 103 of the client terminal 101 is frequently changed.

  In addition, the sandbox management unit 125 may delete the clone sandbox environment 131 and the information thereof at a preset time, for example, on a daily basis (everyday at a preset time). Alternatively, the sandbox management unit 125 may delete the clone sandbox environment 131 and its information for which a preset time has elapsed since construction.

  In addition, the clone sandbox environment 131 and the information of which the number of times of execution of the attached file is less than the predetermined number of times at the preset time or the number of times of change of the individual environment 103 of the client terminal 101 exceeds the predetermined number. The sandbox management unit 125 may be deleted.

  Furthermore, when the individual environment 103 of the client terminal 101 is changed, the sandbox management unit 125 receives the notification of the change, and the sandbox management unit 125 has a clone sandbox environment 131 having the individual environment 133 which is a copy of the changed individual environment 103. And that information may be deleted.

  By deleting the clone sandbox environment 131 as described above, it is possible to reduce the resource consumption of the sandbox management apparatus 121 and leave room for constructing a new clone sandbox environment 131.

101: client terminal, 103: individual environment, 111: mail server and judgment device, 115: attached file analysis unit, 117: analysis judgment table, 121: sandbox management device, 124: clone environment construction unit, 126: standard Sandbox Environment, 131: Clone Sandbox Environment, 133: Individual Environment

Claims (15)

In a malware detection system that analyzes email attachments,
Address the client terminal and receive the mail including the attached file,
Select the type of sandbox environment based on the information contained in the received email,
A mail server that sends selection results and attachments for analysis in a sandbox environment,
Receive the result of the selection and the attached file sent from the mail server,
In the clone sandbox environment constructed using the environment of the client terminal or the standard sandbox environment constructed without using the environment of the client terminal according to the received selection result A sandbox management device that analyzes by executing
Malware detection system characterized by having. In the malware detection system according to claim 1,
The mail server is
A malware detection system comprising selecting a type of sandbox environment based on an extension of a file name of an attached file included in an incoming mail. In the malware detection system according to claim 1,
The mail server is
A malware detection system characterized by selecting a type of sandbox environment based on information of a header of an incoming mail. In the malware detection system according to claim 2,
The mail server is
Send the result of the selection, the attached file, and the information of the destination of the received mail to the sandbox management device for analysis in a sandbox environment,
The sandbox management device
Have multiple clone sandbox environments,
Receiving the result of the selection sent from the mail server, the attached file, and the information on the destination of the received mail,
If the received selection result is a clone sandbox environment, a clone sandbox environment corresponding to the received mail destination information is searched from among a plurality of clone sandbox environments, and the clone sandbox environment found by the search And a malware detection system characterized by analyzing the received attached file by executing it. In the malware detection system according to claim 4,
The sandbox management device
If the received selection result is a clone sandbox environment, a clone sandbox environment corresponding to received mail destination information is searched from among a plurality of clone sandbox environments, and if the search is not found, it is received A malware detection system characterized by constructing a clone sandbox environment using the environment of the client terminal to which an incoming mail is addressed, and executing the received attached file in the constructed clone sandbox environment. In the malware detection system according to claim 5,
The sandbox management device
A malware detection system, comprising: copying an environment of the client terminal to which a received email is received; and constructing a clone sandbox environment including the copied environment. In the malware detection system according to claim 6,
The sandbox management device
Have multiple standard sandbox environments,
A malware detection system characterized in that, when the received result of selection is a standard sandbox environment, analysis is performed by executing the received attached file in a standard sandbox environment sequentially selected from a plurality of standard sandboxes. . In the malware detection system according to claim 7,
The sandbox management device
A malware detection system characterized by deleting the constructed clone sandbox environment after analyzing it by executing the received attached file in the constructed clone sandbox environment. In the malware detection system according to claim 8,
The sandbox management device
What is claimed is: 1. A malware detection system characterized by deleting a constructed clone sandbox environment when a preset time elapses from construction after analysis by executing the received attached file in the constructed clone sandbox environment. In the malware detection system according to claim 7,
The sandbox management device
Send the result of analysis to the mail server,
The mail server is
Malware that receives the analysis result sent from the sandbox management device, and sends the received e-mail to the client terminal or blocks transmission to the client terminal according to the received analysis result. Detection system. In the mail system's malware detection method for analyzing mail attachments,
The mail system is
Address the client terminal and receive the mail including the attached file,
Select the type of sandbox environment based on the information contained in the received email,
By executing the attached file in a clone sandbox environment built using the environment of the client terminal or a standard sandbox environment built without using the environment of the client terminal according to the result of selection A malware detection method characterized by analyzing. In the malware detection method according to claim 11,
The mail system is
A malware detection method comprising selecting a type of sandbox environment based on an extension of a file name of an attached file included in an incoming mail. In the malware detection method according to claim 12,
The mail system is
If the selection result is a clone sandbox environment, a clone sandbox environment corresponding to the information on the destination of the received mail is searched from among a plurality of clone sandbox environments, and in the clone sandbox environment found by the search, an attached file A malware detection method characterized by analyzing by executing. In the malware detection method according to claim 13,
The mail system is
If the selection result is a clone sandbox environment, a clone sandbox environment corresponding to the information on the destination of the received mail is searched from among a plurality of clone sandbox environments, and if it is not found by the search, the above mentioned destination of the received mail A malware detection method comprising: copying a client terminal environment; constructing a clone sandbox environment including the copied environment; and analyzing the executed execution of the attached file in the constructed clone sandbox environment. In the malware detection method according to claim 14,
The mail system is
A malware detection method comprising: transmitting a received e-mail to the client terminal or blocking transmission to the client terminal according to a result of analysis.

Images