KR101749903B1 - Malicious detecting system and method for non-excutable file - Google Patents

Malicious detecting system and method for non-excutable file Download PDF

Info

Publication number
KR101749903B1
KR101749903B1 KR1020160150506A KR20160150506A KR101749903B1 KR 101749903 B1 KR101749903 B1 KR 101749903B1 KR 1020160150506 A KR1020160150506 A KR 1020160150506A KR 20160150506 A KR20160150506 A KR 20160150506A KR 101749903 B1 KR101749903 B1 KR 101749903B1
Authority
KR
South Korea
Prior art keywords
file
malicious
status information
information
state
Prior art date
Application number
KR1020160150506A
Other languages
Korean (ko)
Inventor
전진표
남 권
박대현
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Priority to KR1020160150506A priority Critical patent/KR101749903B1/en
Application granted granted Critical
Publication of KR101749903B1 publication Critical patent/KR101749903B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The present invention realizes a maliciousness checking technique (method) for a non-executable file which can ensure high inspection reliability while minimizing the increase in inspection complexity, the convenience and the damage to the host PC, The system can be reliably protected from malicious code.

Description

{MALICIOUS DETECTING SYSTEM AND METHOD FOR NON-EXCUTABLE FILE} BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a malicious file,

The present invention relates to a maliciousness checking technique for a non-executable file which is difficult to systematically check unlike an executable file.

More specifically, the present invention realizes a malicious check technique for a non-executable file that can guarantee high inspection reliability while minimizing the increase in inspection complexity, convenience, and damage to the host PC. To protect the system from malicious code.

Malicious code can be attacked in various ways, such as a form of attack that arbitrarily modifies information (file) to make it unusable, an attack that causes information (file) to leak to the outside, an attack that deletes information There are various kinds of things to do.

These various types of malicious code can attack a user's system (eg, a host PC) by performing malicious actions on a user system (eg, a host PC) in which the included file is distributed / installed.

The file containing the malicious code can be divided into an executable type that can be largely spontaneously executed, and a non-executable type that is executed manually after being accessed / loaded by another process.

On the other hand, maliciousness checking of a malicious file containing malicious code is difficult to perform systematic inspection in the case of a non-executable file, unlike an executable file.

The reason for this is that in the case of non-executable files, it is difficult to select whether the file is a newly imported file on a user's system (eg, a host PC) because files can be created / edited locally, Since there is a high probability that duplicate scans will occur in the user's system (eg, the host PC) because the user's continuous copy can be made, and the process is passively executed by another process, These are points that cause deterioration of convenience.

In addition, if the malicious file is newly inflowed to a user system (eg, a host PC), it is necessary to execute the malicious file for the first time. If the file is executed on a user system (eg, a host PC) The risk of harm can also be a reason.

Therefore, there is a need for a malicious inspection technique (method) for inspecting non-performing files, which can ensure high inspection reliability while minimizing the increase in inspection complexity, reduced convenience, and damage to the host PC.

Therefore, the present invention proposes a malicious check technique for a non-executable file that can guarantee high inspection reliability while minimizing increase in inspection complexity, reduced convenience, and damage to a host PC.

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and it is an object of the present invention to provide a non-executable file capable of ensuring high inspection reliability while minimizing the increase in inspection complexity, The present invention is to provide a malicious file checking system and a non-malicious file malicious file checking method that can reliably protect a system from malicious code included in an uncompleted file by realizing the malicious file checking technique (scheme).

In order to achieve the above object, according to a first aspect of the present invention, there is provided a malicious file checking method for a non-malicious file, wherein when an arbitrary process accesses a file, A judgment step of judging whether or not to be a monitoring target; A status information checking step of checking status information related to the malicious nature check on the file if it is determined that the present access is to be monitored; If the file is confirmed to be in a state in which the malicious nature check is requested as a result of checking the status information, the access is blocked and the execution of the file is suspended by the arbitrary process, Progress of inspection proceeding; And suspending execution of the file according to the progress of the malicious nature check, allowing the arbitrary process to execute the file, and changing the status information of the file.

In order to accomplish the above object, according to a second aspect of the present invention, there is provided a malicious file checking system for a malicious file, which, when an arbitrary process accesses a file, A judgment unit for judging whether or not to be a monitoring target; A status information checking unit for checking status information related to the malicious nature of the file when it is determined that the current access is to be monitored; If the file is confirmed to be in a state in which the malicious nature check is requested as a result of checking the status information, the access is blocked and the execution of the file is suspended by the arbitrary process, Proceeding inspection progress; And an inspection result reflecting unit for releasing the execution suspension of the file according to the progress of the malicious nature check, allowing the arbitrary process to execute the file, and changing the status information about the file.

According to the embodiments of the present invention, by implementing a malicious check technology (scheme) for ensuring high inspection reliability while minimizing the increase in inspection complexity, the deterioration of convenience, and the occurrence of damage in the host PC, And the system can be reliably protected from the malicious code included in the non-executable file.

FIG. 1 is a block diagram showing the configuration of a non-performing type malicious file check system according to a preferred embodiment of the present invention.
FIG. 2 is a flowchart illustrating a malicious file checking method according to a preferred embodiment of the present invention.

While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the invention is not intended to be limited to the particular embodiments, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. Like reference numerals are used for like elements in describing each drawing.

It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

The terminology used in this application is used only to describe a specific embodiment and is not intended to limit the invention. The singular expressions include plural expressions unless the context clearly dictates otherwise. In the present application, the terms "comprises" or "having" and the like are used to specify that there is a feature, a number, a step, an operation, an element, a component or a combination thereof described in the specification, But do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, or combinations thereof.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the related art and are to be interpreted as either ideal or overly formal in the sense of the present application Do not.

Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings.

First, the present invention will be described with reference to FIG. Here, FIG. 1 shows a configuration of a non-performing type malicious file check system according to a preferred embodiment of the present invention.

As shown in FIG. 1, the non-performing type malicious file checking system 100 according to the present invention is preferably installed in an independent user system 500 such as a computer. The non-performing type malicious file checking system 100 of the present invention may be in the form of an application installed in the user system 500.

1, for convenience of explanation, a storage 400 storing information (files) in a user system 500, a process of accessing information (files) stored in the storage 400 And a file system 200 for controlling I / O for information (files) between the storage unit 400 and the process 300. [

As shown in FIG. 1, the non-performing type malicious file checking system 100 according to the present invention, when an arbitrary process accesses a file, A state information checking unit 120 for checking state information related to the malicious nature of the file when it is determined that the current access is to be monitored, If the file is determined to be in a state in which it is determined that the malicious file is to be checked, it is possible to suspend the file access by the arbitrary process, block the access, (130), and suspending execution of the file in accordance with the progress of the malicious nature check to allow the arbitrary process to execute the file And to, the test results including the reflecting section 140 to change the status information about the file.

It is preferable that the determination unit 110 basically monitors whether or not an event that an arbitrary process accesses the information (file) stored in the storage unit 400 occurs in conjunction with the file system 200. [

Herein, the term arbitrary process refers to a process of attempting to access information (file) stored in the storage unit 400 among various types of processes that can be operated in the user system 500. Hereinafter, (300).

Hereinafter, for convenience of explanation, it is assumed that the process 300 has accessed the information (file A) stored in the storage unit 400 as an arbitrary process.

In such a situation, the determination unit 110 may detect that an event that an arbitrary process 300 accesses the file A stored in the storage unit 400 has occurred.

When the arbitrary process 300 accesses the file A, the determination unit 110 determines whether the current access is to be monitored for file execution based on the predefined selection condition.

At this time, the selection condition includes file identification information that identifies a file designated as a file execution hold object, storage subject identification information that identifies a storage subject process that stores a file as a file execution hold object, It is preferable that the condition includes the access subject identification information that identifies the access subject process accessing the file.

Specifically, when the determination unit 110 determines that the present access is an attempt by the access subject process to a file that is the object of file execution holding stored by the storage subject process, based on the sorting condition as described above , This approach can be judged as a monitoring target.

That is, when the arbitrary process 300 accesses the file A, the judging unit 110 judges whether the access attempted file A and the file A are stored in the user system 500, If all three elements of the access subject process satisfy the above selection criteria, the approach is to be judged to be a monitoring target.

More specifically, for example, when the arbitrary process 300 accesses the file A, the determination unit 110 determines whether the extension of the attempted file A is the file identification information in the selection condition (e.g., pdf, doc, etc.) And if the name of the storage subject process storing the file A in the user system 500 is included in the selection condition storage subject identification information (e.g., iexplore.exe, chrome.exe, etc.) (Acrord32.exe, winword.exe, etc.) included in the selection condition, and if the name of the access subject process or process 300 is included in the selection condition (for example, acrord32.exe, winword.exe, etc.) If this is the case, the approach should be judged to be the subject of surveillance.

Of course, the order in which the determination unit 110 first confirms (determines) which of the extension of the file A, the name of the storage subject process, and the name of the access subject process can be changed at any time.

If the determination unit 110 determines that the current access is to be monitored, the state information verification unit 120 checks the state information related to the malicious nature of the file A. [

Here, the state information includes first state information indicating a state in which the malicious nature check is required to be proceeded, second state information indicating a state in which the inspection result in which the malicious nature of the inspection is performed is normal, And third state information indicating the second state information.

Hereinafter, for the sake of convenience of explanation, the name including the meaning indicated in each status information is given as follows.

First state information - SCAN

Second state information - CLEAN

Third state information - MALWARE

To this end, in the present invention, when a file is stored in the user system 500, the first state information (SCAN) is initially set as the first state information.

More specifically, in the present invention, in the user system 500, by the process according to the storage subject process (i.e., iexplore.exe, chrome.exe, etc.) defined in the selection condition, (E.g., pdf, doc, etc.) is stored, the file is initially set to the first status information (SCAN) at the beginning.

Therefore, if the file A has been stored in the user system 500 and the malicious nature of the file A has not been audited, the status information of the file A may be the first status information SCAN.

In this case, the status information verifying unit 120 checks the status information of the file A as it is determined that the present access is to be monitored by the determination unit 110, and the first status information SCAN will be confirmed.

If the file A is found to be in the state requiring progress of the malicious nature check, that is, the first status information (SCAN) as a result of checking the status information in the status information checking unit 120, The process 300 suspends the execution of the file A and proceeds to the maliciousness check for the file A. [

At this time, it is preferable that the inspection progress unit 130 conducts a remote site-based malware check on the file.

That is, the inspection progress unit 130 first blocks the access, suspends file A execution by the process 300, and then provides the file A to the remote diagnosis server (not shown) The malicious nature of the file A can be checked for maliciousness based on the malicious nature of the file A. In this case,

In this case, in the case of the non-executable file newly entered (stored) in the user system 500, since the initial execution for the malicious nature check is executed in the diagnostic server (not shown) In other words, the risk of damage to the host PC can be minimized.

In addition, during the progress of the malicious nature test on the file A, the inspection progress unit 130 may detect the progress of the inspection and related information (e.g., the reason for the inspection progress, the degree of the inspection, etc.) .

In this case, according to the present invention, as the non-executable file A is passively executed by the other process 300, the reason why the response of the process 300 is lost or delayed during the maliciousness check of the file A is notified to the user It is possible to minimize the deterioration of convenience for the user to experience.

The inspection result reflecting unit 140 releases the execution pending of the file A in accordance with the result of the malicious nature check conducted by the inspection progressing unit 130 so that the process 300 can execute the file A, Change the status information.

More specifically, the inspection result reflection unit 140 automatically executes the file A when the malicious nature check result of the inspection progress unit 130 is normal, It is possible to release execution pending of file A and allow process 300 to execute file A.

In addition, when the result of the malicious nature check performed by the inspection progress unit 130 is normal, the inspection result reflecting unit 140 updates the status information on the file A from the first status information SCAN to the second status information CLEAN ).

If the result of the malicious nature check performed by the inspection progress unit 130 is malicious, the inspection result reflection unit 140 may update the status information of the file A from the first status information SCAN to the third status information MALWARE ).

In addition, the inspection result reflecting unit 140 may notify the fact that the present access, that is, the current access to the file A by the process 300 is blocked, and related information (for example, the reason for blocking or the malicious code warning) Or sound.

As described above, according to the present invention, in the case where the status information of the file A is normal according to the result of the present malicious nature check in the first status information (SCAN) that is initially set after being stored in the user system 500, ) Is changed to the third state information (MALWARE) if it is malicious.

Therefore, if an arbitrary process 300 accesses the file A at a later time, and the determination unit 110 determines that the current access is to be monitored, the status information checking unit 120 determines that the file A is the second State information (CLEAN) or third state information (MALWARE).

Therefore, when the second status information (CLEAN) is confirmed with respect to the file A, the non-performing file maliciousness checking system 100 of the present invention permits the present access, ) Causes file A to be executed.

On the other hand, when the third state information (MALWARE) is confirmed for the file A, the non-performing file malicious nature checking system 100 of the present invention blocks the access from the malicious code included in the non- (E.g., a blocking reason, a malicious code warning, etc.) to the user in a recognizable form, such as a screen or a sound.

Furthermore, the non-performing type malicious file checking system 100 of the present invention may further include a status information managing unit 150.

The malicious diagnostic policy executed at the remote diagnosis server (not shown) can be changed flexibly based on information obtained by analyzing various malicious codes appearing and changing. That is, even if malignancy diagnosis is performed on the same file, malignancy diagnosis (inspection) can be made according to malignancy diagnosis policy.

The malicious file malfunction detection system 100 of the present invention further includes a status information management unit 150 to reflect the malicious status diagnosis policy in the diagnostic server (not shown) that can be changed as described above.

That is, the state information management unit 150 changes state information of all files designated as a file execution hold object to the first state information (SCAN) upon termination of the user system 500, or changes state information to second state information (CLEAN) or third state information (MALWARE), the first state information (SCAN) can be automatically changed to the first state information (SCAN) upon expiration of a predetermined time after the change.

Specifically, when the user system 500 is terminated, the status information management unit 150 stores status information of all the files that are stored by the storage subject process defined in the sorting condition and are subject to file execution holding defined in the sorting condition 1 status information (SCAN).

In this case, the non-performing type malicious file checking system 100 of the present invention is initialized at the end of the user system 500 and is then reflected back into the non-executable file by reflecting the maliciousness diagnosis policy in the diagnosis server (not shown) The maliciousness test of the present invention can be carried out.

Alternatively, the status information management unit 150 may update the first status information (e.g., file A) upon expiration of a predetermined period of time after the change to the file (e.g., file A) in which the status information is changed to the second status information CLEAN or the third status information MALWARE (SCAN) can be automatically changed.

In this case, the non-performing file maliciousness-checking system 100 of the present invention is stored in the storage subject process defined in the sorting condition, and the state information is changed for each file to be subjected to file execution holding defined in the sorting condition The malicious file is initialized in units of a predetermined time, and the malicious file diagnosis policy in the diagnostic server (not shown) is reflected again.

As described above, the non-performing type malicious file checking system 100 of the present invention adopts a method of checking the malicious file at a remote place after suspending the execution of the non-performing file, By defining the sorting condition and the status information that can distinguish the non-executable file to be inspected for malicious occurrence, whether the file is a newly imported file (saved file) or copied file, The increase in inspection complexity can be minimized.

In addition, the non-performing type malicious file checking system 100 of the present invention can visually report the progress of the malicious file checking and the result of the inspection to the user, thereby minimizing the deterioration in the convenience of the user.

In addition, the non-performing type malicious file checking system 100 of the present invention reflects the malicious file diagnosis policy in the diagnosis server (not shown) that can be changed flexibly through the automatic status information changing function to ensure high inspection reliability can do.

In summary, the non-performing type malicious file checking system 100 of the present invention is capable of checking the malicious file for non-executable files which can guarantee high inspection reliability while minimizing the increase in inspection complexity, By implementing the technique (scheme), an effect of highly reliable protection of the system from the malicious code included in the non-executable file is derived.

Hereinafter, a non-performing type malicious file checking method according to a preferred embodiment of the present invention will be described in more detail with reference to FIG. Here, for convenience of description, the components shown in FIG. 1 will be described with reference to corresponding reference numerals.

For convenience of explanation, the non-performing type malicious file checking method according to the present invention will be described as an operating method operated by the non-performing type malicious file checking system 100 shown in FIG.

The operation method of the malicious inspection system 100 according to the present invention monitors whether or not an event that an arbitrary process accesses information (file) stored in the user system 500 occurs.

Hereinafter, for convenience of explanation, it is assumed that the process 300 has accessed the information (file A) as an arbitrary process.

In this case, the operation method of the malicious attack checking system 100 according to the present invention may detect that an event that an arbitrary process 300 accesses the file A occurs (S100).

The method of operation of the malicious file system 100 according to the present invention is such that when an arbitrary process 300 accesses the file A, (S110).

Specifically, an operation method of the malicious file system 100 according to the present invention is a method in which, based on the sorting condition as described above, an access subject process is performed on a file that is the subject of file execution holding stored by the storage subject process If the approach is identified as an attempted approach, this approach can be judged to be the subject of surveillance.

That is, when the arbitrary process 300 accesses the file A, the operation method of the malicious file checking system 100 according to the present invention stores the file A and the file A, which are attempted to be accessed, in the user system 500 The subject process, and the access subject process accessing this file A satisfy all of the above selection criteria, it is determined that the present approach is to be monitored.

More specifically, for example, the operation method of the malicious file system 100 according to the present invention is such that, when an arbitrary process 300 accesses the file A, the extension of the attempted file A is identified as a file identification The name of the storage subject process in which the file A is stored in the user system 500 is included in the selection condition storage subject identification information (for example, iexplore.exe, pdf, doc, etc.) chrome.exe, etc.), and if included, the name of the access subject process or process 300 accessing this file A is the access subject identification information in the selection condition (for example, acrord32.exe, winword.exe, Etc.), and if it is included, judges that this approach is to be monitored.

In operation S120, if the current access is to be monitored (Yes in S110), the operation method of the malicious attack detection system 100 according to the present invention checks the status information related to the malicious nature of the file A (S120).

Of course, the operation method of the malicious attack checking system 100 according to the present invention is such that, if it is determined in step S110 that the current access is not a monitoring target (No in step S110) The control unit 300 causes the file A to be executed (S130).

If it is determined in step S110 that the present access is to be monitored (Yes in step S110), the operation method of the malicious attack detection system 100 according to the present invention is to return the status information (S120).

In the method of operating the malicious file system 100 according to the present invention, when confirming the first state information (SCAN) of the file A, the process 300 interrupts the access and holds the execution of the file A , The malicious nature of the file A is checked (S140).

At this time, the operation method of the malicious-species detection system 100 according to the present invention is such that after the file A is held by the process 300 by blocking the access, the file A is stored in the diagnostic server (not shown) , And a diagnosis server (not shown) receives the maliciousness diagnosis result performed on the file A according to the maliciousness diagnosis policy, so that the maliciousness check on the remote location based on the file A can be performed.

In addition, the method of operating the malicious file checking system 100 according to the present invention may include the steps of checking progress of the file A and related information (for example, the reason for the progress of the test, the degree of the progress of the test, etc.) It is preferable to output it as a user-recognizable form such as a screen or a sound.

In the operation method of the malicious inspection system 100 according to the present invention, it is determined whether the malicious result is normal or malicious (S150).

The operation method of the malicious inspection system 100 according to the present invention is such that if the malicious nature check result is normal (S150 Yes), the state information of the file A is updated from the first state information SCAN to the second state information CLEAN, (S160), the file A is automatically executed and linked with the procedure 300 so that the process 300 can use it, thereby allowing the execution pending release of the file A and the process 300 to execute the file A (S170).

Meanwhile, when the malicious test result is malicious, the operation method of the malicious attack detection system 100 according to the present invention is such that the status information of the file A is changed from the first status information SCAN to the third status information MALWARE (S180).

In addition, the operation method of the malicious file checking system 100 according to the present invention may be modified such that the current access to the file A by the process 300 and the related information (for example, the blocking reason, the malicious code warning, For example, a screen or a sound (S190).

As described above, according to the present invention, in the case where the status information of the file A is normal according to the result of the present malicious nature check in the first status information (SCAN) that is initially set after being stored in the user system 500, ) Is changed to the third state information (MALWARE) if it is malicious.

If the second state information (CLEAN) of the file A is confirmed, the present approach of the malicious nature detection system 100 according to the present invention is not an inspection target, And allows the file A to be executed by the process 300 (S130).

Meanwhile, when the third state information (MALWARE) of the file A is confirmed in step S120, the operation method of the malicious attack checking system 100 according to the present invention is such that the access is blocked and the malicious code (S190), the user system 500 can be protected from the user's system 500, and the blocking information and related information (for example, blocking reason, malicious code warning, etc.)

Furthermore, the method of operating the malicious file system 100 according to the present invention may include changing state information of all files designated as a file execution pending state to the first state information (SCAN) upon termination of the user system 500 (S200), the first state information (SCAN) may be automatically changed to a file which is changed to the second state information (CLEAN) or the third state information (MALWARE) after the change.

Specifically, the method of operating the malicious file system 100 according to the present invention is a method in which when the user system 500 is terminated, the file of the file execution pending defined in the selection condition is stored by the storage subject process defined in the selection condition It is possible to automatically change the status information of all the files to the first status information SCAN.

In this case, the non-performing type malicious file checking system 100 of the present invention is initialized at the end of the user system 500 and is then reflected back into the non-executable file by reflecting the maliciousness diagnosis policy in the diagnosis server (not shown) The maliciousness test of the present invention can be carried out.

Alternatively, the operation method of the malicious nature detection system 100 according to the present invention may be modified such that a file (for example, file A) in which state information is changed to second state information (CLEAN) or third state information (MALWARE) It can be automatically changed to the first state information (SCAN) upon expiration of a predetermined time.

In this case, the non-performing file maliciousness-checking system 100 of the present invention is stored in the storage subject process defined in the sorting condition, and the state information is changed for each file to be subjected to file execution holding defined in the sorting condition The malicious file is initialized in units of a predetermined time, and the malicious file diagnosis policy in the diagnostic server (not shown) is reflected again.

As described above, the operation method of the malicious file checking system 100 according to the present invention, that is, the malicious file malicious file checking method according to the present invention checks the malicious file at the remote site after the execution of the non- (Host PC), it is possible to distinguish the non-executable file to be checked for malicious file by whether the file is a newly imported file or a copied file. By defining the sorting condition and the status information, it is possible to effectively avoid redundant inspection and minimize the increase in inspection complexity.

In addition, the malicious file maliciousness checking method according to the present invention can minimize the deterioration of the convenience for the user to experience by checking the malicious status of the malicious file and checking the status of the malicious file.

In addition, the non-performing type malicious file checking method of the present invention can guarantee a high inspection reliability by reflecting the malicious existence diagnosis policy in the diagnosis server (not shown) that can be changed flexibly through the automatic status information changing function .

In summary, the non-performing file maliciousness checking method of the present invention is a malicious file checking technique for non-performing files that can guarantee high inspection reliability while minimizing the increase in inspection complexity, ), Thereby obtaining an effect of highly protecting the system from the malicious code included in the non-execution type file.

The non-performing malicious file checking method according to an embodiment of the present invention may be implemented in the form of a program command that can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.

As described above, the present invention has been described with reference to particular embodiments, such as specific constituent elements, and limited embodiments and drawings. However, it should be understood that the present invention is not limited to the above- And various modifications and changes may be made thereto by those skilled in the art to which the present invention pertains.

Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .

100: Non-file malicious file check system
110: determination unit 120: status information verification unit
130: inspection progress unit 140: inspection result reflection unit
150: Status information manager
200: File system
300: Process
400:
500: User system

Claims (15)

  1. Determining whether the malicious file system is a monitoring target for suspending file execution based on a predefined selection condition when an arbitrary process accesses a file;
    A status information checking step of checking status information related to the malicious nature check on the file if the malicious file detection system determines that the access is to be monitored;
    If the first state information indicating the state in which the malicious file is to be checked is found as a result of checking the state information, the malicious file detection system blocks the current access and the file is executed by the arbitrary process And proceeding with the malicious nature check on the file; And
    Wherein the malicious file detection system releases execution pending of the file according to a result of the malicious file test to allow the arbitrary process to execute the file and the status information on the file is checked for maliciousness Wherein the malicious file is a malicious file, and the malicious file is a malicious file.
  2. The method according to claim 1,
    The selection condition is,
    File identification information that identifies the file designated as the target of file execution pending,
    A storage subject identification information for identifying a storage subject process in which a file to be pending for file execution is stored,
    And an access subject identification information for identifying an access subject process for accessing a file to which file execution is suspended.
  3. 3. The method of claim 2,
    Wherein,
    The present access point is judged to be a monitoring target when it is confirmed on the basis of the sorting condition that the present access is an attempt to be made by the access subject process to a file to be subjected to file execution holding stored by the storage subject process The malicious file is checked for maliciousness.
  4. The method according to claim 1,
    The status information may include:
    The first state information indicating a state in which the malicious nature check is requested to proceed, the second state information indicating a state in which the inspection result in which the malicious nature is audited is normal, the third state information indicating the state in which the malicious detection result is malicious, Wherein the malicious file is identified as malicious.
  5. The method according to claim 1,
    In the inspection progress step,
    Wherein the file is provided to a diagnostic server at a remote location, and the diagnosis server performs a malicious nature check on the file based on the malicious nature of the file, How to check whether.
  6. 5. The method of claim 4,
    The inspection result reflecting step may include:
    And changing the status information of the file to the second status information if the proceeding malicious nature check result is normal,
    Wherein the status information of the file is changed to the third status information when the progress of the malicious file is malicious.
  7. 5. The method of claim 4,
    If the second state information is confirmed in the state information checking step, the malicious file checking system permits the present access so that the file is executed by the arbitrary process; And
    Wherein the malicious inspection system further comprises a step of blocking the current access when the third status information is confirmed in the status information checking step and outputting the blocking information and related information for the current access in a form recognizable by the user Wherein the malicious file is a malicious file.
  8. 5. The method of claim 4,
    Wherein the malicious file information checking system changes state information of all files designated as a file execution hold object at the time of system shutdown to the first state information or changes the state information to the second state information or the third state information Further comprising the step of automatically changing the file into the first status information upon expiration of a predetermined time after the file is changed.
  9. The method according to claim 1,
    In the inspection progress step,
    Wherein the malicious file is a malicious file, and the malicious file is a malicious file.
  10. A judging unit for judging whether or not the access is to be monitored for file execution based on a predefined selection condition when an arbitrary process accesses a file;
    A status information checking unit for checking status information related to the malicious nature of the file when it is determined that the current access is to be monitored;
    If the file is confirmed to be in a state in which the malicious nature check is requested as a result of checking the status information, the access is blocked and the execution of the file is suspended by the arbitrary process, Proceeding inspection progress; And
    The execution of the file is released so that the arbitrary process can execute the file according to the progress of the malicious nature check, and the state information on the file is displayed so as to indicate a state in which the maliciousness check progress is not required Wherein the malicious file is a malicious file.
  11. 11. The method of claim 10,
    The selection condition is,
    File identification information that identifies the file designated as the target of file execution pending,
    A storage subject identification information for identifying a storage subject process in which a file to be pending for file execution is stored,
    And an access subject identification information for identifying an access subject process for accessing a file to which file execution is suspended.
  12. 12. The method of claim 11,
    Wherein,
    The present access point is judged to be a monitoring target when it is confirmed on the basis of the sorting condition that the present access is an attempt to be made by the access subject process to a file to be subjected to file execution holding stored by the storage subject process Malicious file checking system of non-executable file.
  13. 11. The method of claim 10,
    The status information may include:
    The first state information indicating a state in which the malicious nature check is requested to proceed, the second state information indicating a state in which the inspection result in which the malicious nature is audited is normal, and the third state information indicating the malicious state in the inspection result However,
    The inspection result reflector may include:
    Changing the state information of the file from the first state information to the second state information if the proceeding malicious nature check result is normal,
    Wherein the status information for the file is changed from the first status information to the third status information when the progress of the malicious nature check result is malicious.
  14. 14. The method of claim 13,
    The status information of all files designated as a file execution pending state at the time of system shutdown is changed to the first status information or a file changed from the status information to the second status information or the third status information And automatically changing the first state information to the first state information upon expiration of the first state information.
  15. A computer-readable recording medium recording a program for performing the method of any one of claims 1 to 9.
KR1020160150506A 2016-11-11 2016-11-11 Malicious detecting system and method for non-excutable file KR101749903B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160150506A KR101749903B1 (en) 2016-11-11 2016-11-11 Malicious detecting system and method for non-excutable file

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020160150506A KR101749903B1 (en) 2016-11-11 2016-11-11 Malicious detecting system and method for non-excutable file
PCT/KR2017/012733 WO2018088844A1 (en) 2016-11-11 2017-11-10 System for inspecting whether non-executable file is malicious and method for inspecting whether non-executable file is malicious

Publications (1)

Publication Number Publication Date
KR101749903B1 true KR101749903B1 (en) 2017-06-26

Family

ID=59282577

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160150506A KR101749903B1 (en) 2016-11-11 2016-11-11 Malicious detecting system and method for non-excutable file

Country Status (2)

Country Link
KR (1) KR101749903B1 (en)
WO (1) WO2018088844A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011233126A (en) 2010-04-28 2011-11-17 Electronics And Telecommunications Research Institute Device, system and method for detecting malignant code which is disguised as normal and inserted to normal process
KR101288833B1 (en) * 2012-02-01 2013-08-23 주식회사 인프라웨어테크놀러지 Method for preventing malicious code using office documents, and computer-readable recording medium for the same

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101063010B1 (en) * 2009-06-03 2011-09-07 주식회사 미라지웍스 Process management method and device that can detect malware
KR101265173B1 (en) * 2012-05-11 2013-05-15 주식회사 안랩 Apparatus and method for inspecting non-portable executable files
US9239922B1 (en) * 2013-03-11 2016-01-19 Trend Micro Inc. Document exploit detection using baseline comparison

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011233126A (en) 2010-04-28 2011-11-17 Electronics And Telecommunications Research Institute Device, system and method for detecting malignant code which is disguised as normal and inserted to normal process
KR101288833B1 (en) * 2012-02-01 2013-08-23 주식회사 인프라웨어테크놀러지 Method for preventing malicious code using office documents, and computer-readable recording medium for the same

Also Published As

Publication number Publication date
WO2018088844A1 (en) 2018-05-17

Similar Documents

Publication Publication Date Title
JP4178036B2 (en) Operating system abstraction / protection layer
US7627898B2 (en) Method and system for detecting infection of an operating system
CN101777062B (en) Context-aware real-time computer-protection systems and methods
US7870387B1 (en) Program-based authorization
US8065728B2 (en) Malware prevention system monitoring kernel events
JP4321705B2 (en) Apparatus and storage system for controlling acquisition of snapshot
US6941473B2 (en) Memory device, stack protection system, computer system, compiler, stack protection method, storage medium and program transmission apparatus
KR101626424B1 (en) System and method for virtual machine monitor based anti-malware security
US20070067843A1 (en) Method and apparatus for removing harmful software
US20070067844A1 (en) Method and apparatus for removing harmful software
EP0636977B1 (en) Method and apparatus for detection of computer viruses
JP4162099B2 (en) Device having function to cope with virus infection and storage device thereof
US20020178375A1 (en) Method and system for protecting against malicious mobile code
JP5049341B2 (en) Combination of virus check and replication filter
US7603704B2 (en) Secure execution of a computer program using a code cache
US7886148B2 (en) Secure execution of a computer program
JP4234086B2 (en) Method, system, and program for processing file requests
RU2522019C1 (en) System and method of detecting threat in code executed by virtual machine
JP4625839B2 (en) Method and apparatus for detecting and recovering from buffer overflow attack
JP2012198926A (en) Hardware-based anti-virus scan service
DE60214147T2 (en) System and method for restoring a computer system damaged by a negative computer program
CN102799817B (en) Systems and methods for using virtualization technology for malware protection
US7243348B2 (en) Computing apparatus with automatic integrity reference generation and maintenance
JP2008522298A (en) How to build a reliable execution environment on your computer
US20110047618A1 (en) Method, System, and Computer Program Product for Malware Detection, Analysis, and Response

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant