JP6254414B2 - Information processing apparatus, information processing system, and information processing method - Google Patents

Description

  The present invention relates to information processing for controlling whether or not a program can be started.

  In recent years, as a new form of cyber attack on companies, there has been an increasing number of methods called targeted attacks that target computers that are used or owned by specific employees in the company, infect them with malware, and steal information within the company. Yes.

  Conventional anti-virus software uses a virus definition file based on a black list method. However, the number of types of malware, including computer viruses, is increasing in the thousands. For this reason, virus definition software updates cannot keep up with the rapid increase in malware, and it is difficult to deal with targeted attacks using conventional antivirus software.

  On the other hand, there is a countermeasure against a target-type attack using a so-called white list type control method that permits execution of a known program and restricts execution of other programs (for example, Patent Document 1). When updating a computer program using a white list type control method, the update updater may be registered in the white list.

  However, the updater usually generates a plurality of different executable files. Therefore, even if the updater is registered in the white list, the execution file generated by the updater is not registered in the white list. As a result, even if the executable file generated by the updater is installed in the computer and the update is completed, the executable file cannot be started, and the updated program may not operate normally.

  Conventionally, a system administrator or the like has performed an operation of extracting an executable file generated by the updater and registering the executable file in a white list. According to this method, it is necessary not only to determine whether the updater is reliable, but also to perform an operation with a large burden of extracting the executable file and updating the white list.

JP 2009-259160

  An object of the present invention is to reduce the work for updating a list when a list-type control method is used.

  The present invention has the following configuration as one means for achieving the above object.

An information processing apparatus according to the present invention is a list of detection means for detecting program startup and program generation or change, or program search, identification means for identifying a program, and a program that is permitted to be executed. A registration unit that registers a program in one of a white list and a black list that is a list of programs that are prohibited from being executed, and the identification unit includes the program whose activation is detected by the detection unit or the Based on the program information of the program detected by the search of the detection means, it is determined whether or not the program satisfies a predetermined criterion regarding the program information, and the registration means determines the program determined to satisfy the predetermined criterion registered in the list of the one, the registration means, the predetermined reference In order to give a promotion authority to a program determined to satisfy, the correspondence between the program and the promotion authority is registered in the one list, and the generation of a child program by the program to which the promotion authority is given by the detection means or When a change is detected, the registration means registers the child program in the one list .

  According to the present invention, it is possible to reduce work for updating a list when a list-type control method is used.

The block which shows the structural example of a white list control system. The block diagram which shows the structural example of the white list control system in which a server does not exist. The figure which shows an example of a white list. The figure which shows an example of the white list master which exists in a server. The flowchart explaining an example of a white list control process. The flowchart explaining an example of a white list control process when an installer is started. The flowchart explaining the update process of the white list | wrist triggered by program starting. The flowchart explaining the update process of the white list | wrist which makes a program search a trigger.

  Hereinafter, information processing of an information processing system according to an embodiment of the present invention will be described in detail with reference to the drawings.

[System configuration]
An example of the configuration of the whitelist control system is shown by the blocks in FIG. The white list control system includes an information processing device and a server device that manages the information processing device.

  In FIG. 1, a client computer (hereinafter referred to as a client) 10 is an information processing apparatus in a white list control system. The client 10 is, for example, a personal computer (PC) installed in a company, school, government agency, home, or the like, or a computer device such as a tablet terminal or a smartphone used or owned by an individual.

  A server computer (hereinafter referred to as a server) 20 is a server device that manages an information processing device in the whitelist control system. The server 20 acquires the information of the white list 120 from a plurality of clients 10 and creates a database, or periodically transmits white list data to the client 10 to update the white list 120.

  The network 300 is a computer network such as the Internet or an intranet. The client 10 is connected to the server 20, a web server, an FTP server, etc. (not shown) via the network 300.

  For simplification, FIG. 1 shows one client 10 and one server 20, but in reality, a plurality of clients and a plurality of servers can exist in the whitelist control system.

Client In the client 10, the computing device 10C is a microprocessor (CPU). The arithmetic device 10C starts the operating system (OS) stored in the storage device 10B according to a boot program such as BIOS stored in the ROM of the memory 10E, and further executes various resident programs (such as the control program 113) according to the OS. to start. At that time, the arithmetic device 10C uses the RAM of the memory 10E as a work area. The OS is, for example, Windows (registered trademark), Mac OS (registered trademark), Linux (registered trademark), iOS (trademark), Android (trademark), or the like.

  The storage device 10B is a hard disk drive (HDD), a solid state drive (SSD), or the like, and stores various programs 100 and data 101 running on the client 10 in addition to the OS. As will be described in detail later, various programs 100 stored in the storage device 10B include an identification program 110, a registration program 111, a detection program 112, a control program 113, a file search tool 114, and the like.

  Note that the program 100 may include a plurality of programs for various functions such as the identification program 110, or may be a single program having various functions. Although details will be described later, the various data 101 stored in the storage device 10B includes a white list 120, a promotion standard rule 130, a black list 140, and the like.

  The I / O device 10A is an input / output interface (I / F) for connecting to a pointing device (such as a mouse) or a keyboard, or a display incorporating a touch panel. The keyboard may be a software keyboard. In addition, the I / O device 10A may be a voice input unit including a microphone or the like that recognizes the input operator's voice using a voice recognition function and transmits the recognized voice to the arithmetic device 10C. The I / O device 10A also functions as a user interface (UI) for displaying information.

  The network I / F 10D is an interface with the network 300, and is a communication circuit for communicating with other computers. The arithmetic device 10C receives information such as partial data of the white list 120 from the server 20 via the network I / F 10D, and transmits various types of information to the server 20.

Server In the server 20, the computing device 20C is a microprocessor (CPU). The computing device 20C activates the OS stored in the storage device 20B in accordance with a boot program such as BIOS stored in the ROM of the memory 20E. Further, the arithmetic device 20C loads the management console 210 from the storage device 20B into the RAM of the memory 20E. Then, information (for example, information on the white list 120) is acquired from a plurality of clients 10 and stored in a database, or conversely, information is transmitted to the clients 10 to update the white list 120 or the like.

  The storage device 20B is an HDD, an SSD, or the like, and stores various programs 200 and data 201 including a management console 210 operating on the server 20 in addition to the OS. Although details will be described later, the various data 201 stored in the storage device 10B includes a white list master 220, a promotion reference rule 230, a black list master 240, a white list candidate 250, and the like.

  The I / O device 20A is an interface (I / F) for connecting to a pointing device (such as a mouse), a keyboard, and a monitor, and the monitor functions as a UI for displaying information. The network I / F 20D is an interface with the network 300, and is a communication circuit for communicating with other computers such as the client 10.

  The arithmetic device 20C receives information on the white list 120 and the black list 140 from the plurality of clients 10 via the network I / F 20D, and manages the white list master 220 and the black list master 250 based on the received information. .

  In the white list control system, the server 20 is not an essential component. The block diagram of FIG. 2 shows a configuration example of a white list control system in which the server 20 does not exist. In the configuration of FIG. 2, since communication between the client 10 and the server 20 is not necessary, the network 300 and the network I / F 10D are also optional.

  The white list control system may be configured using a thin client (for example, a terminal service). A thin client is a system that allows a client to remotely connect to a server and execute an application program on the server using a virtual desktop environment generated on the server.

[Programs and data]
The identification program 110 is executed by the arithmetic device 10C and acquires information (hereinafter referred to as program information) such as a file name (program name), hash value, version information, file size, file path, and digital signature from a separately started program. To do. And it has the identification function which identifies the said program based on the acquired program information. Further, the identification program 110 refers to the acquired program information and a promotion standard rule 130 described later, and determines whether or not the program satisfies the promotion standard.

  The white list 120 is a list of information on programs that may be executed. As information constituting the white list 120, program information acquired by the identification program 110 is used.

  An example of the white list 120 is shown in FIG. The white list 120 holds four types of information for each program: a program name, a hash value, version information, a file size, and a promotion authority flag described later. Note that FIG. 3 is an example, and the type and number of information held as the white list 120 is not limited to FIG.

  The white list master 220 is a list of a plurality of white lists 120. An example of the white list master 220 existing in the server 20 is shown in FIG. The white list master 220 holds information related to the white list 120 of a plurality of clients in association with the names and codes of the clients. The example of FIG. 4 shows an example in which the process name, hash value, registration date / time, and last activation date / time of a plurality of programs are held as the white list 003 corresponding to the client PC 003. Note that FIG. 4 is an example, and the type and number of information held as the white list master 220 is not limited to FIG.

  The detection program 112 is executed by the arithmetic device 10C, and has a monitoring function for monitoring program activation, generation of another program by the activated program, and a detection function for detecting them.

  The registration program 111 has a registration function for registering the program in the white list 120 based on the program information acquired by the identification program 110 of the program executed by the arithmetic device 10C and detected by the detection program 112 to be activated or generated. .

  The control program 113 is executed by the arithmetic device 10C, and has a control function of whether or not to enable or disable (block) the start of the program to be started on the client 10.

  The promotion standard rule 130 is a rule for determining whether a program or file is issued by a reliable issuer. The promotion standard rule 130 is a rule defined by an administrator or a user based on program information. Rules include, for example, digital signatures attached to programs and files, verification of whether a digital certificate is valid, determination of whether or not a file signer name is a pre-stored name, For example, whether or not it is satisfied.

  Further, the type and number of rules applied as the promotion standard rule 130 are not limited to the above specific examples. For example, a plurality of combinations of rules such as “a digital signature or a digital certificate is valid and a file name includes characters“ Setup ”or“ Update ”” can be applied. In this case, when “malware that generates malware by exploiting the vulnerability of the image viewer (Viewer.exe)” operates, even if the digital signature of the image viewer is valid, the character string is not included in the file name. As a result, an effect of preventing an attack that exploits the vulnerability of the image viewer can be obtained.

  The black list 140 is a list of programs that are prohibited from starting and executing. The data structure of the black list 140 is substantially the same as the white list 120 shown in FIG. Further, the black list 140 is not essential and may not exist on the client 10, and when the black list 140 is not used, the black list master 240 of the server 20 is not essential.

[White list control processing]
Processing Overview The detection program 112 detects the activation of the program in the client 10 using a global hook (API hook, filter driver) or the like, and calls the identification program 110 when the activation of the program is detected. The identification program 110 acquires the program information of the program to be started and verifies whether or not the program satisfies the promotion standard rule 130.

  As a result of the verification, when it is determined that the program satisfies the promotion standard rule 130, the control program 113 permits the program to be activated and calls the registration program 111. The registration program 111 receives the program information of the program from the identification program 110 and registers the program in the white list 120.

  Even if the activated program satisfies the promotion standard rule 130, if the program is registered in the black list 140, the control program 113 does not cause the registration program 111 to register the program. That is, the prohibition of starting and executing the program is maintained.

  Next, the registration program 111 gives “elevation authority” to the program registered in the white list 120. The presence / absence of the promotion authority is set in the promotion authority flag of the white list 120, for example. Alternatively, a table corresponding to the white list 120 may be stored in the storage device 10B, and the presence or absence of the promotion authority may be registered in each record of the table. The promotion authority is an authority defined as follows.

  When a program having a promotion authority (parent program) generates some program (child program), the child program is unconditionally registered in the white list 120. When the parent program activates the child program, the child program is also given promotion authority. When the configuration shown in FIG. 1 performs the registration process related to the promotion authority, the following process is performed.

  The detection program 112 monitors the behavior of the parent program using a global hook or the like. When detecting the generation of the child program by the parent program, the detection program 112 causes the identification program 110 to acquire the program information of the child program. The identification program 110 passes the acquired program information to the registration program 111. The registration program 111 creates record data to be added to the white list 120 based on the received program information, and adds the created data to the white list 120.

  At this time, it is possible to adopt the following method. In other words, when detecting the generation of the child program, the detection program 112 analyzes the generated file and determines whether or not information related to the generated file needs to be registered in the white list. When it is determined that registration is not necessary, the subsequent processing is terminated without acquiring the program information by the identification program 110. The case where it is determined that the registration is unnecessary is, for example, the case where the binary header of the generated file is analyzed and the configuration is not PE (Portable Executable) format and it can be determined that the file is not an executable file.

  Next, the detection program 112 monitors the start of the child program by the parent program. When the detection program 112 detects the start of the child program by the parent program, the detection program 112 calls the registration program 111. The called registration program 111 sets “Yes” in the promotion authority flag of the child program. In addition, the control program 113 allows the child program to be activated.

  If the promotion authority is used, a program generated by a program having a behavior of generating a child program such as a software security patch can be automatically added to the white list 120. In other words, it is possible to reduce the work involved in updating the white list for registering the generated child program in the white list 120.

  Note that the processing related to the promotion authority is not limited to the case where the child program is generated from the parent program, but can be performed even when the parent program is changed (for example, renamed) or the child program is changed.

  Further, “determining whether a valid digital signature is added to the program” is applied to the promotion standard rule 130. By doing so, it is possible to determine that the program is issued by a reliable publisher and is not a malicious program such as malware without the operator's awareness. Note that whether or not a valid digital signature is added includes, for example, a method using a Windows (registered trademark) application programming interface (API) or the like.

  When it is determined that the program does not satisfy the promotion standard rule 130, the control program 113 performs general white list control. That is, when the identification program 110 determines that the program does not satisfy the promotion standard rule 130, the identification program 110 determines whether or not the program is registered in the white list 120. When it is determined that the program is registered in the white list 120, the control program 113 determines whether or not the program has the promotion authority and permits the program to be activated. If it is determined that the program is not registered in the white list 120, the activation of the program is blocked using a global hook or the like.

  Further, the identification program 110 determines whether or not a program to be activated is registered in the black list 140. If the program is registered in the black list 140, the program can be prevented from starting, and if the program is not registered in the black list 140, the program can be started.

  In the following description, a state where a program or the like is registered in the white list 120 or the black list 140 may be expressed as “present in the list”, and a state where the program is not registered may be expressed as “not present in the list”.

Details of Processing An example of white list control processing will be described with reference to the flowchart of FIG.

  The detection program 112 monitors the activation of the program (S201), and when the activation of the program is detected, the process proceeds to step S202.

  When activation of the program is detected, the identification program 110 acquires program information of the program (S202), and determines whether the program exists in the black list 140 (S203). If it is determined that the program exists in the black list 140, the control program 113 prevents the program from starting (S204), and returns the process to step S201.

  If the program does not exist in the black list 140, the identification program 110 determines whether the program satisfies the promotion standard rule 130 (S205). If the program does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the program exists in the white list 120 (S206).

  When it is determined that the program exists in the white list 120, the identification program 110 determines whether or not the program has a promotion authority (S206B). If it is determined that the user has the promotion authority, the control program 113 permits the program to be activated (S210).

  If it is determined that there is no promotion authority, the control program 113 permits the program to be activated (S207), and the process returns to step S201. If it is determined that the program does not exist in the white list 120, the control program 113 prevents the program from starting (S204), and returns the process to step S201.

  On the other hand, when it is determined that the program satisfies the promotion standard rule 130, the control program 113 passes the program information of the program to the registration program 111. As a result, the registration program 111 registers the program (parent program) in the white list 120 (S208), and sets “Yes” in the promotion authority flag (S209). Subsequently, the control program 113 permits the start of the parent program (S210).

  Next, the detection program 112 monitors the generation of the child program by the parent program to which the promotion authority is granted (S211). If the parent program generates a child program, the detection program 112 proceeds to step S212. If the parent program does not generate a child program, the detection program 112 returns the process to step S201.

  In step S211, the detection program 112 may monitor not only the generation of the child program but also a change (for example, rename) to the child program or the parent program. When a change in the parent program is detected, the same processing as the child program is performed on the program (parent program).

  When the generation of the child program is detected, the identification program 110 acquires the program information of the child program (S212), and passes the acquired program information to the registration program 111. As a result, the registration program 111 registers the child program in the white list 120 (S213).

  Subsequently, the detection program 112 monitors whether or not the parent program to which the promotion authority is granted starts the child program (S214). If the parent program starts the child program, the detection program 112 proceeds to step S215. If the parent program does not start the child program, the detection program 112 returns the process to step S201.

  When activation of the child program by the parent program is detected, the identification program 110 determines whether or not the child program exists in the black list 140 (S215). When it is determined that the child program exists in the black list 140, the control program 113 prevents the child program from starting (S216). Then, the registration program 111 deletes the registration of the child program from the white list 120 (S217), and returns the process to step S201.

  On the other hand, if it is determined that the child program does not exist in the blacklist 140, the process returns to step S209. Therefore, “Yes” is set in the promotion authority flag of the child program (S209), the activation of the child program is permitted (S210), and the generation of the grandchild program by the child program granted the promotion authority is monitored (S211). . When the child program generates the grandchild program, the grandchild program is registered in the white list 120, and when the child program to which the promotion right is granted starts the grandchild program, the process of giving the grandchild program the promotion right (S209 to S215) is recursively Repeated.

  If the black list 140 does not exist, the identification program 110 passes through the determination in step S215. In this case, “Yes” is set in the promotion authority flag of the child program started by the parent program and the grandchild program started by the child program (S209), and the child program is permitted to start (S210).

  When registering a parent program / descendant program in the white list 120, it is determined whether or not the program is registered in the white list 120. If it is determined that the program is not registered, the program is registered in the white list 120. May be. In the case of registration in the white list 120, the process proceeds to the next process without performing registration. By determining whether or not it is registered in the white list 120, it is possible to prevent duplicate registration of programs.

  Hereinafter, programs after the second generation, such as child programs and grandchild programs generated based on the first generation parent program, will be referred to as “descendant programs”.

Correspondence to Installer In step S201, the detection program 112 determines whether the program to be started is an installer program (for example, msiexec.exe in Windows (registered trademark)) stored in advance in the storage device 10B by comparison with the list. Determine whether. When it is determined that the installer program (hereinafter referred to as an installer) is activated, the operation of the installer is different from the operation of other programs, and therefore, the processing after step S202 is switched.

  When an operator instructs execution of an installer package file (such as an msi file, msp file, or msu file), the installer is activated, and the installer expands a file stored in the installer package file (hereinafter referred to as a package). Therefore, the determination based on the promotion standard rule 130 needs to be performed on the package, not the installer, and the process shown in FIG. 5 cannot be directly applied.

  An example of the white list control process when the installer is activated will be described with reference to the flowchart of FIG.

  The identification program 110 acquires the file information of the package (S221), and determines whether the package exists in the black list 140 (S222). If it is determined that the package exists in the blacklist 140, the control program 113 prevents the installer from being activated (S223), and returns the process to step S201. If the black list 140 does not exist, the identification program 110 passes through the determination in step S222.

  If the package does not exist in the blacklist 140, the identification program 110 determines whether the package satisfies the promotion standard rule 130 (S224). If the package does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the package exists in the white list 120 (S225). If it is determined that the package exists in the white list 120, the control program 113 sets the installer's promotion authority flag to “present” (S209), and permits the installer to start (S210). If it is determined that the package does not exist in the white list 120, the activation of the installer is blocked (S223), and the process returns to step S201.

  On the other hand, the processing when the package satisfies the promotion standard rule 130 is the same as steps S209 to S217 shown in FIG. 5, and “Yes” is set in the promotion privilege flag of the installer (S209), and the activation of the installer is permitted. (S210). The program extracted from the package by the installer is handled in the same way as the child program generated by the parent program (in this case, the installer). In other words, the program extracted from the package is registered in the white list 120 as a descendant program, and when the descendant program starts the next generation program, the process of giving promotion authority to the started program (S209 to S215) is recursively performed. Repeated.

  In step S211, if an installer package is generated not by the parent program but by the program (parent program), the process of FIG. 6 can be applied to the package file. is there.

[When inheriting / granting promotion rights to other than the child program generated by the parent program]
When the child program generated from the parent program having the promotion authority is started by the parent program, the promotion authority is inherited. However, the promotion authority may be inherited or granted in the following cases.

● Pattern 1
In FIG. 5, consider a case where a plurality of descendant programs are generated from the same parent program. At this time, some descendant programs inherit the promotion authority from the parent program, and if the descendant program that inherits the promotion authority starts another descendant program, the promotion authority may be inherited.

  For example, the update operation of Windows (registered trademark) includes the above operation. By implementing the pattern 1 technique, it is possible to update Windows (registered trademark) without blocking it.

  When pattern 1 is performed, a determination is made in step S214 shown in FIG. 5 as to whether the descendant program is started by the parent program or a program generated from the same parent program and inheriting the promotion authority from the parent program. Is done.

● Pattern 2
In FIG. 6, a case where the installer is started from another program is considered. At this time, if the program having the promotion authority starts the installer, the installer may inherit the promotion authority.

  Some commercially available software launches an installer during installation. By implementing the method of Pattern 2, such software installation can be performed without blocking.

● Pattern 3
In FIG. 5, a case is considered in which a program that does not have promotion authority is started as a child program generated from a program having promotion authority. At this time, two types of program groups, “generated program group” and “start program group”, are defined in advance. Further, it is possible to perform a process of giving a promotion authority to a program generated from a program belonging to the generation program group and started from a program belonging to the startup program group.

  Some commercially available software performs the above operation during installation. By implementing the pattern 3 approach, it is possible to install such software without blocking it.

[Create whitelist]
To operate the white list control system, it is necessary to create a white list 120 suitable for the operating environment.

● Processing triggered by program activation In FIGS. 5 and 6, when the program or package does not satisfy the promotion standard rule 130 and does not exist in the white list 120 (NO in S206 or S225), the control program 113 is a program. It was explained that the activation of the system is blocked (S204 and S223). However, when such a program or package (hereinafter, unregistered program) is detected, it is possible to attempt to update the white list 120.

  The update process of the white list 120 triggered by program activation will be described with reference to the flowchart of FIG.

  When the unregistered program is detected (S301), the registered program 111 transmits the program information (hereinafter, unregistered information) of the unregistered program passed from the identification program 110 to the server 20 (S302). Then, the process returns to step S301.

  Note that unregistered information may be transmitted to the server 20 in a predetermined cycle without transmitting unregistered information immediately after detection of an unregistered program. For example, the registration program 111 temporarily stores unregistered information in a predetermined area of the storage device 10B or the memory 10E, for example. Then, it is determined whether or not there is unregistered information stored in a predetermined cycle (for example, every five minutes or every hour), and when the unregistered information is stored, the information is transmitted to the server 20. .

  When receiving the unregistered information from the client 10 (S311), the management console 210 of the server 20 determines whether information matching the received unregistered information exists in the whitelist candidate 250 (S312). If information matching the received unregistered information exists in the white list candidate 250, the process returns to step S311.

  On the other hand, when the information matching the received unregistered information does not exist in the white list candidate 250, the management console 210 adds the received unregistered information to the white list candidate 250 (S313). Then, the unregistered information added to the white list candidate 250 is presented to the operator of the server 20 by e-mail or an alert window, for example (S314).

  The operator refers to the presented information, determines whether or not to register the unregistered program in the white list, and inputs an instruction according to the determination result to the management console 210. The management console 210 determines whether or not the operator's instruction indicates registration of the program (S315). If the operator instruction indicates registration, the program is registered in the whitelist master 220 (S316), and “registered” is recorded in the record of the program of the whitelist candidate 250 (S317). If the operator's instruction indicates non-registration, “non-registration” is recorded in the record of the program of the white list candidate 250 without registering the program in the white list master 220 (S318). Then, the process returns to step S311.

  The management console 210 transmits the data of the white list master 220 to the client 10 periodically (for example, every hour or every other day). As a result, the white list 120 of the client 10 is updated.

Processing with Program Search as Trigger In the above, processing for adding a program to whitelist candidate 250 using program activation as a trigger has been described. However, for example, a program can be searched using an OS standard file search tool or the like, and the detected program can be registered as the white list candidate 250. In this way, all the programs stored in the storage device 10B of the client 10 can be added to the white list candidate 250.

  The white list update process triggered by program search will be described with reference to the flowchart of FIG.

  In response to an instruction from the operator of the client 10 (or the server 20), the file search tool 114 is activated, and a file search is executed based on the specified search condition (S401). When adding a program to the white list candidate 250, all the programs stored in the storage device 10B are searched, and the identification program 110 receives the search result (S402).

  Receiving the search result, the identification program 110 acquires program information of the detected program (S403). Then, an unregistered program that does not satisfy the promotion standard rule 130 and does not exist in the white list 120 is extracted from the detected programs (S404). When the unregistered program is extracted (S405), the registered program 111 transmits program information of the unregistered program to the server 20 (S406).

  The processing of the management console 210 is similar to the processing (S311 to S318 in FIG. 7) when the program activation is used as a trigger, and detailed description thereof is omitted.

  In the above description, an example in which a program that is not registered in the white list 120 is registered in the white list 120 has been described, but the same processing is performed when a package that is not registered in the white list 120 is registered in the white list 120.

  Further, in the case where the server 20 shown in FIG. 2 does not exist, it goes without saying that the processing (S311 to S318) of the management console 210 shown in FIG.

[Modification]
In the above, as an example of the client 10, a PC, a tablet terminal, and a smartphone are given as examples. However, the above processing can be applied using a terminal (eg, a network scanner) that does not have a pointing device or a terminal (eg, an embedded terminal) that does not have a display as a client.

  As described above, when the white list type control method is used, it is possible to reduce the work for updating the white list. Therefore, the burden of extracting an execution file and updating the white list, such as a system administrator, is reduced. Further, the determination using the promotion criterion rule 130 also reduces the operation of determining whether the updater is reliable.

  In the above description, the white list control system using the white list has been described. However, the present invention is not limited to the white list, and the above processing can be applied to a black list control system using the black list.

[Other Examples]
The present invention can also be realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various recording media, and a computer (or CPU, MPU, etc.) of the system or apparatus reads the program. It is a process to be executed.

Claims (16)

Detection means for detecting program activation and program generation or change, or program search;
An identification means for identifying the program;
Listing a is whitelist execution is allowed programs, and execution and a registration means for registering a program in one list of the list in a black list of prohibited programs,
The identification unit determines whether the program satisfies a predetermined criterion related to the program information based on the program information of the program detected by the detection unit or the program detected by the search of the detection unit,
The registration means registers a program determined to satisfy the predetermined criterion in the one list ,
The registration means registers the correspondence between the program and the promotion authority in the one list in order to give the promotion authority to the program determined to satisfy the predetermined criterion,
When the detection unit detects the generation or change of a child program by the program to which the promotion authority is granted, the registration unit registers the child program in the one list . The identification means determines whether the detected or detected program is registered in the other list of the white list and the black list;
The information processing apparatus according to claim 1 , wherein the registration unit grants the promotion authority to the detected or detected program that is determined not to be registered in the other list . The registration unit recursively registers the next generation program in the one list when the detection unit detects the generation or change of the next generation program by the program granted the promotion authority. The information processing apparatus according to claim 1 , wherein the information processing apparatus repeats automatically. The registration means grants the promotion authority to the next generation program when activation of the next generation program by the program to which the promotion authority is granted is detected by the detection means. The information processing apparatus according to claim 3 . When activation of another next generation program by the next generation program to which the promotion authority is granted by the detection means is detected, the registration means sends the promotion authority to the other next generation program. The information processing apparatus according to claim 3 , wherein: If starting the installer by the sensing means and the elevation privileges granted programmed by is detected, said registration means, information processing according to claim 1, characterized by applying the elevated privileges to the installer apparatus. The registration means gives the promotion authority to a program that is generated from a program that belongs to a pre-stored generation program group and that is started from a program that belongs to a pre-stored startup program group. The information processing apparatus according to Item 1 . When the generation unit detects the generation or change of the next generation program by the program to which the promotion authority is given by the detection unit, the identification unit detects the next generation program based on the program information of the next generation program. Determine whether the program is registered in the other list ;
The information processing apparatus according to claim 2 , wherein the registration unit grants the promotion authority to a next generation program that is determined not to be registered in the other list . It said registration means, is an information processing apparatus according to claim 8, characterized in that deletes the registration of the other lists the following is determined to be registered in the generation of a program from the list of the one. If the startup of the next generation of the program by the program the elevated privilege was granted by the detection means is detected, said identification means, based on the program information of programs that the activation is detected, the program, the other determination of whether or not it is registered in the list, or, it is determined whether the registered one list,
It said registering means, the other is registered in the list is not determined to be a program, or programs that has been determined with the not registered in one list, performs processing for registering a list of the one The information processing device according to claim 2 , wherein the information processing device is an information processing device. Further, by an information processing apparatus according to any one of claims 1 to 10, characterized in that it comprises a control means for permitting or preventing the activation of the program based on the list of the one. And an information processing apparatus according to any one of claims 1 to 11, characterized in that it contains a digital signature in the program information. Detection means for program activation and program generation or change detection, or program search, identification means for identifying a program, white list that is a list of programs that are allowed to be executed, and programs that are prohibited from being executed An information processing method for an information processing apparatus having registration means for registering a program in one list of black lists as a list ,
The identification unit determines whether the program satisfies a predetermined criterion related to the program information based on the program information of the program detected by the detection unit or the program detected by the search of the detection unit,
The registration means registers the program determined to satisfy the predetermined criterion in the one list ,
The registration means registers the correspondence between the program and the promotion authority in the one list in order to give the promotion authority to the program determined to satisfy the predetermined criterion,
An information processing method , wherein when the detection unit detects generation or change of a child program by a program to which the promotion authority is granted, the registration unit registers the child program in the one list . And an information processing apparatus according to any one of claims 1 to 12,
An information processing system comprising: a server device that transmits data of the one list to the information processing device via a network. The information processing system according to claim 14 , wherein the server device receives information related to a program to be registered in the one list from the information processing device via the network. Program for causing to function as each means of the information processing apparatus according to computer claims 1 to any one of claims 12.

Images