KR20040083409A - method for computer protection with real-time monitoring and thereby computer and thereby system - Google Patents

Abstract

PURPOSE: A method for protecting a computer through real-time monitoring, and the computer and a system protected by the same are provided to safely protect the computer by monitoring an interrupt or an event related to file handling and enable a user to perform setting conveniently. CONSTITUTION: A setting list(50) stores permission for changing an executable file. A detecting module(10) detects/intercepts occurrence of the interrupt or the event related to the file handling. An analysis module(20) checks the permission by comparing the interrupt or the event detected from the detecting module with the setting list after checking that the interrupt or the event is a request for changing the executable file by analyzing the interrupt or the event. A processing module(30) disuses or returns the interrupt or the event depending on an analysis result of the analysis module.

Description

Method for computer protection with real-time monitoring and thereby computer and thereby system

The present invention relates to a method of protecting a computer through real-time monitoring, and to a computer and a system protected therein. More particularly, the present invention relates to a request for a change to an executable file that is not allowed by intercepting and analyzing an interrupt or event related to file handling. The present invention relates to a method of protecting a computer through real-time monitoring, which can be configured to be discarded to protect a computer from viruses, and a computer and a system protected accordingly.

As the use of computers increases, exponential use of the Internet increases the number of viruses, worms, and other malware that destroy computer data and programs. The virus is hidden in a diskette, operating system, storage device, etc., and is executed when certain conditions (eg, booting of a computer, a specific date, execution of a specific program, etc.) are satisfied to delete or change data and programs in the computer. It will destroy the system.

The virus infects other programs, deletes or changes a part of the corresponding program, and stores its code therein. Through this process, the virus continuously infects a large number of files, infecting the system, degrading system performance, occupying storage space, or even causing damage to hardware.

Unlike a virus, the worm does not infect other files but takes up space on the computer through replication, and simultaneously executes, causing a load on the system, thereby degrading performance. In recent years, worms occurring in recent years are being developed in combination with hacking tools to hack not only personal PCs but also attacks on networks.

In addition to the viruses and worms described above, there are also malicious codes such as Trojan programs that are installed in advance on the computer so that external hackers can randomly access the computer. In the case of the Trojan program described above, infections are often caused by mail through the Internet, and many cases are hacked by external hackers to the user's PC due to the infection. In particular, as financial transactions using the Internet, such as electronic commerce, have become more active, social security numbers, public certificates, credit card numbers, etc. are often left on user PCs. In this case, leaking the social security number, official certificate, credit card number, etc. from the hacked PC by a hacker can be a simple hacking program, which is simple enough to be sufficient even at the level of elementary school students. The number of accidents used is increasing. In addition, the technique of hacking in the above manner can be said to be a technology that can be easily acquired only by the basic concept of the network, only a simple knowledge of the program.

Conventional viruses or worms are introduced into computers when the user uses infected diskettes, and the spreading speed of the virus or worm has not increased fast. However, as the use of networks increases, the spreading speed increases exponentially. In particular, in the past, it was infected by the execution of an infected program or diskette, but recently, it is also infected through e-mails and web pages. As a result, the world is often infected with the same virus within a few days.

As described above, there are various methods for recovering a system infected with a virus or the like.

First, there is a method of removing all programs / data and all viruses including an operating system stored therein by formatting a storage space in the computer and then reinstalling the programs. Formatting as above removes all the viruses stored in the storage space, but also deletes the programs and data installed by the user. Therefore, the user needs considerable time to restore the computer to the previous state. There is this.

Next, the vaccine program is used. The vaccine program includes a pattern of known viruses to check whether there is a code matching the pattern in a storage space of a computer, to diagnose the virus and to treat or delete the infected file according to the diagnosed virus. Using the antivirus program as described above is relatively simple compared to the method of formatting, but depending on the virus may not be able to recover the installed program can not be completely recovered. In addition, the vaccine program is diagnosed according to the pattern of the virus, it is possible to diagnose and treat only known viruses. If an unknown virus is found, it takes a certain time to add the function of diagnosing and treating the virus. However, there is a problem that the recent virus spreads around the world within a few days and causes considerable damage before the vaccine program is installed. In addition, even in a computer treated with a vaccine, it is often necessary to format the system when the degree of infection is excessive or when a system file is infected. Therefore, it is often necessary to reinstall the system by a method such as the above-mentioned format. The damage from unknown viruses is much greater than if they were infected with a virus known for their advancement in viral technology. In addition, the unknown virus is not detected by any vaccine, so a certain amount of time must pass before the user can be aware of it. There is another problem.

Next, there is a method of separately storing an image of a storage space before being infected with a virus, such as a CD form, and then recovering the storage space with the image when infected. The method is similar to the method of re-installation after formatting, but it is not necessary to install the programs separately, and it is convenient because the setup does not have to be performed when the program is installed. However, this method has a problem in that it is difficult to manage as the size of the storage space increases and the number of CDs storing images is increased. In addition, there is another problem of separately managing a data file generated by a user.

Another method is to use a commercial system repair means. The system recovery means is for managing a computer used by a plurality of users so as to maintain a hard disk, which is a storage space of the computer, in a state at a predetermined time point. To this end, the system recovery means may write to a specific space of the computer, but at the next boot, the system recovery means returns it to the state before the write operation. This is to disable it. That is, the hard disk is divided into two areas, one to the recovery area and one to the non-recovery area, and the programs stored in the recovery area are continuously restored to the point designated by the administrator, and any program is installed in the non-recovered area. It is a system that can store data. In this case, since a separate writable space is provided for storing data, the space is configured to be deleted by the administrator at any time, thereby preventing a virus from infecting a program already installed in the protected space.

As described above, the method of using an image or using a system recovery means can recover a certain state even if a user installs a harmful program or an unauthorized program on a computer when a few administrators manage a plurality of computers. It is easy to manage and is used a lot. However, there is a problem that protection is impossible if the virus is already infected when the image is generated. In addition, when the system recovery means is used, the recovery area can prevent the infection of the virus, but the non-recovery area has a problem that the virus can be infected. In addition, when the system is divided into a recovery / non-recovery area and managed as in the system recovery group, the user may not store any data file in the recovery area. Accordingly, a beginner may be forced to blow his data. In many cases, as noted above, since various data and programs are stored in the non-recovered region, there is another problem that a significant virus is often infected in the non-recovered region.

In addition, there are functions related to file attributes provided by Microsoft's operating system. The above function can control the properties of the file, and in the conventional DOS mode, the function of giving the hidden property of the aaa.exe file is provided through a command such as attrib -h aaa.exe. . However, in the case of the above-described method, there is an inconvenience even when the user wants to directly use the executable file. In particular, since the executable file is invisible even in the browser or DOS mode, there are a lot of restrictions in the user's use of the file directly. There is another problem. In addition, there is another problem that some files may not be executed when a hidden attribute is given.

As a way to solve the above problems, Korean Patent Application No. 10-2001-13994 discloses a method for preventing infection by a computer virus by identifying the writing operation of malicious code and prohibiting it or notifying the user. have. However, the above method is configured to detect only when a code of a virus program is inserted before or after an executable file, thereby preventing only a virus performing a limited form of action.

In addition, Korean Patent Application No. 10-2002-0083749 searches the downloaded executable code as a database for malicious executable code and checks if there is a known malicious executable code, and then executes it if there is no known malicious executable code. It is designed to stop the process in case of prohibition such as access, file creation or rewriting. Accordingly, access to the virus can be prevented by setting system files, system directories, etc. frequently infected by malicious executable codes such as general viruses.

However, the above method is configured to detect only the executable code downloaded through the web server and executed in the web browser in three steps. Therefore, the method installed in the computer or downloaded by the user beforehand is installed. In this case, it is difficult to detect or prevent viruses or worms.

In addition, it blocks the process of requesting access to a specific file or directory, so if a user disallows access to a system directory (for example, a specific directory of a Windows system such as windows or system) that the process frequently accesses, a warning sometimes appears. There is a problem.

In addition, there is a problem that the configuration is complicated and malfunctioning is high because it is configured to give a score to each action of the process. In addition, since the setting is added in the database, there is a problem that detection or prevention is impossible when the database is deleted or an error occurs.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems, and can detect an interrupt or event related to file handling to secure a computer, and provides a computer protection method and a system and a system protected according to the real-time monitoring that are easy to set up. It aims to provide.

In addition, a computer protection method through real-time monitoring that protects the operation of computer operating systems and applications by preventing infection of viruses, hacking tools, etc. by preventing the copy of executable files transmitted by web mail to the hard disk, and thereby Another object is to provide a computer and its system which are protected accordingly.

1 is a block diagram of a computer protection system through real-time monitoring according to an embodiment of the present invention

2 is a simplified flowchart of a computer protection method through real-time monitoring according to an embodiment of the present invention.

The present invention comprises a setting step of setting whether to allow the change of the executable file to achieve the above object; Detecting and intercepting an interrupt or an event related to file handling occurring inside a computer; Analyzing the interrupt or event intercepted in the detecting step to determine whether the request is related to an executable file change and to determine whether the request for the executable file change is permitted in the setting step; A processing step of determining whether to discard or return an interrupt or an event according to whether or not to allow the change of the executable file in the analysis step; Technical protection method of the computer through a real-time monitoring, characterized in that to prevent the change of.

Preferably, the setting step is to set whether to perform or stop at least one function of the sensing step, analysis step, processing step.

Preferably, the change of the executable file includes at least one of creating, copying, moving, changing a permission, changing a file name or extension, modifying file contents, merging a file, and splitting an executable file. It is done.

Preferably, the setting step is to set whether to allow separately for each program or process requesting the change of the executable file.

Preferably the detecting step is characterized in that the operating in the kernel or the file system driver included or linked.

Preferably, the analyzing step is to check the extension of the target file or the permission of the file to determine whether the request for the executable file.

Preferably, the interrupt or event is discarded and an error message is delivered to indicate to the user that the request is denied.

Preferably, after discarding the interrupt or event, an error message is not generated, so that no notification is given to the user.

A setting list for allowing permission to change an executable file; A detection module for detecting the occurrence of an interrupt or an event and intercepting it; An analysis module which analyzes the interrupt or event detected by the detection module to determine whether a change request is made to an executable file, and compares the setting list with the setting list to determine whether to allow the change; A processing module for discarding or returning the interrupt or an event according to an analysis result of the analysis module; protection for executable files stored therein according to a computer protection method through real-time monitoring is provided. Computer protection system through another technical point.

Preferably, the setting list is stored in a storage space of a computer or a flash memory installed in the computer.

Preferably, the flash memory is installed in the network interface card.

Preferably, the configuration list is characterized in that whether to allow the change of the executable file for each program or process.

Preferably, the configuration module further includes a configuration module configured to receive a list of programs allowing the execution of a method of protecting an executable file and a change of the executable file, and to store the list in a configuration list.

A client installed with a computer protection system through real-time monitoring and connected to a network; And a server connected to the client through a network and connected to the client to change the configuration list of the client.

Preferably, the client is provided with information on the server to allow access, characterized in that to allow access by comparing after receiving the authentication information from the server when the connection request from the server side.

Hereinafter, a computer protection method through real-time monitoring according to an embodiment of the present invention will be described in detail.

The present invention primarily aims at preventing infection and spread from viruses and the like. To this end, the present invention detects an interrupt or an event related to file handling occurring inside a computer, intercepts and analyzes the interrupt or event, and discards it when requesting an unacceptable action to prevent infection and spread. Accordingly, it is possible to prevent viruses and the like from being stored in the internal storage device, and to prevent other viruses from being executed by previously executing viruses and the like, thereby reducing damage caused by viruses.

In general, viruses introduced from the outside first copy themselves to change a certain location of a computer's storage space or contents of a specific file, and then include its own code or generate and save a random file, and modify a computer to modify the computer. The virus and the like are configured to be executed at the time of execution. As described above, the virus is stored and then executed to infect other files, and in the case of a worm, it copies itself. At this time, in order for the virus or worm to be executed, the virus infected file or the worm must be an executable file. Therefore, the virus or the like is infected with an executable file having a form of an executable file (for example, EXE, COM executable file, SYS system file, DLL, ocx, etc.). Therefore, the present invention is configured to prevent the creation, modification, deletion, etc. of the executable files to prevent the virus or the like is stored in the storage space and the already stored virus is executed to infect or replicate other files. Done.

Hereinafter, a computer protection method through real-time monitoring according to an embodiment of the present invention will be described in detail. The computer protection method through real-time monitoring of the present invention can be largely divided into a setting step, a detection step, an analysis step, and a processing step.

First, the setting step will be described. The setting step is to set whether to allow the change of the executable file. That is, it is possible to set whether to stop or perform a virus or the like function through the setting step. If the stop of the function is set in the setting step, the interruption or the interception of the event is stopped in the detection step described later. Accordingly, the interrupt or event is delivered to the corresponding original part and normally performed. In this case, instead of stopping the execution of the sensing step, it may be configured to return all interrupts or events, but in this case, since it takes time, it is most preferable to stop the sensing step to improve the speed of the computer.

In addition, the setting step may be configured to enable finer control by setting interrupts or events to be blocked in detail. That is, it is possible to set whether to block changes to all executable files, to allow only changes by specific programs or processes, to allow all changes, and the like. This is to change the executable file when installing or updating a new program while the computer is in use, so that the function can be temporarily suspended or allowed to be installed or updated.

Programmers, in particular, use program language programs to create or modify executables while the program is being written. In addition, some system programs or applications may change certain DLL files during execution, so these programs set DLL files to be changed in advance so that user inconvenience caused by the programs during use can be minimized. It is desirable to.

The information set as described above is stored in a setting list, and the setting list is referred to when determining whether to allow the change of the executable file in the analysis step to be described later.

Next, the sensing step will be described. The detecting step detects whether an interrupt or an event related to file handling occurring in the computer occurs. The interrupt or event is generated when the computer controls the peripheral device or when there is an input from the peripheral device. The computer is pre-programmed to perform a predetermined operation according to the interrupt or event.

Interrupts as defined above are signals from a computer-mounted device or a program in a computer that allow the operating system to stop doing what it is supposed to do next. Today almost every PC or large computer is an interrupt-based system, that is, once a computer statement in a program has started, it can execute the statement until it can no longer work or until an interrupt signal is detected. When an interrupt signal is detected, the computer resumes the program that was running or starts executing another program. Basically, a single computer can only execute one computer instruction at a time. However, because of the interrupt signal, it can have an order in which other programs or statements can be executed. This is called multitasking, which allows the user to do multiple tasks at the same time. The computer simply manages the order in which the programs will be executed so that the user can work effectively. Of course, the computer runs at a high speed so that all of the user's tasks appear to be performed at the same time. The operating system usually has interrupt management. If more than one interrupt needs to be processed, the interrupt manager prioritizes the interrupts and queues them. The operating system has another small program called the scheduler, which gives control to the next program to be run. That is, the sensing step of the present invention serves to detect only the interrupt related to file handling among the interrupts. If a file handling event for a file copy or deletion, such as a file copy or a user arbitrarily occurs while the basic operating system is operating, it plays a role of detecting in the detecting step.

The event defined above refers to any action or event that is detected by the program. Events that occur in the system, such as when a user presses a mouse button or a key on the keyboard, as well as when memory is exhausted, are considered events. In particular, most modern applications that run on Macintosh or Windows environments are called event-based programs because they are designed to respond to events that occur. The sensing step in the present invention serves to detect and limit an event related to file handling among the events.

In addition, the detecting step of the present invention prevents the computer from responding to the interrupt or event as soon as an interrupt or event related to file handling occurs. Intercepting an interrupt or an event in advance as described above is a technique known to the art in the art, so a detailed description thereof will be omitted.

Next, the analysis step will be described. The analyzing step is a process of identifying an action request by receiving and analyzing an interrupt or an event related to file handling intercepted in the detecting step. In addition, the file handling mentioned above can be roughly divided into two types. One is in the form of a regular data file, and the other can be divided into executable files. In the case of a general data file, there should be no inconvenience for users to create, copy, move files, change permissions, change file names or extensions, modify file contents, merge files, and divide files without any restrictions. In general, viruses and the like are stored in a storage space in the form of executable files. In the present invention, executable files can be created, copied, moved, changed permissions, changed file names or extensions, modified file contents, file merges, files, and the like. If you request a split, you can suspect that a virus or the like is running. Also, if the user has fully updated the operating system, there are often no changes to the executable file. However, it is often a change of an executable file performed by a malicious code such as a virus.

Of course, this may be a normal Microsoft update or the like, but in such a case, a message known to the user is generated, which is understandable from the user's point of view, but the file is copied or deleted by a general virus. This is because the copying to the user's computer in accordance with the transmission of the executable file by an external hacker or the like by an external hacker is mostly because the user does not know. The gist of the present invention is to prevent executable file creation, copying, moving, changing permission, changing file name or extension, modifying file contents, file merging, file division, and the like. By analyzing the interrupts or events related to file handling detected in the detection step, the executable file can be created, copied, moved, changed permissions, changed file name or extension, modified file contents, file merge, file division, etc. It will determine if the request is or not. After determining whether the interrupt or event related to the file handling is related to storing or changing the file, it is checked whether the target file is an executable file. In this case, in order to check whether the file is an executable file or not, the extension of the file is checked in a Microsoft DOS or Windows-based operating system, and in Unix, the file is configured to check a file's permission. In the case of an interrupt, when the file name of the target is not included, the name of the file allocated to the address of the storage space designated by the interrupt is checked in the FAT or the like. In addition, the change of the above-mentioned extension analyzes whether the target file is converted into an executable file and confirms whether the extension of the extension is changed from the data file to the executable file.

Next, the processing steps will be described. In the processing step, when the change request corresponds to a file change request executable in the analyzing step, the interrupt or event is determined and discarded according to the permission set in the setting step. In the case of discarding the interrupt or event described above, it can be implemented in two ways. After discarding the interrupt or event, an error message is transmitted to indicate to the user that the request has been rejected. After discarding the interrupt or event, the user does not generate an error message so as not to notify the user. .

As described above, after discarding the interrupt or event related to the file handling, an error message is transmitted to notify the user to confirm that the user has requested an executable file change, and the user is operating the protection function of the computer. When a change request is made in the state, the function is to be changed after stopping the function.

In addition, disabling an error message after discarding an interrupt or an event related to file handling does not cause any notification to a user, which may cause confusion that may occur due to generating the error message when a plurality of users use a computer. This is to ensure that no message is delivered to the user to reduce the problem.

In addition, the interruption or event discard in the processing step does not deliver the interrupt or event that occurred to the operating system or the kernel, and the interrupt or event only when the request is not allowed in the analysis step. It can be implemented by deleting.

In the case of the processing step for returning the interrupt or event related to the file handling mentioned above, the request allowed in the analysis step is delivered to the corresponding part to be originally delivered for the interrupt or event to be executed. Therefore, the interrupt or event can be delivered in the form requested by the user.

Hereinafter, a computer protection system through real time monitoring will be described. The computer 100 includes a setting list 50, a sensing module 10, an analysis module 20, a processing module 30, and a setting module.

The configuration list 50 stores the configuration used for the analysis of interrupts or events. To this end, the setting list 50 stores whether to allow the change of the executable file. In the present invention, the configuration list 50 is stored on the flash memory. The reason for storing in the flash memory as described above is that the settings list 50, etc. may be damaged by a virus that has been previously infected. For sake.

In the present invention, the flash memory is installed in a network interface card. This is to access the flash memory through a network so that the configuration list 50 can be changed to facilitate the management of a plurality of computers by a few administrators.

However, instead of installing the flash memory as described above, it may be stored in a hard disk, and the flash memory may be installed in a device other than a network interface card.

Next, the detection module 10 is installed in conjunction with the kernel 40 of the computer or the file system driver of the computer and detects an interrupt or an event related to file handling occurring in the computer and intercepts it and will be described later. It is delivered to the analysis module 20. The interrupt or event is generated when the computer controls the peripheral device or when there is input from the peripheral device. The computer is pre-programmed to perform a predetermined operation according to the interrupt or event. As described above, a technique for detecting and intercepting an interrupt or an event is well known to those skilled in the art, so a detailed description thereof will be omitted.

Next, the analysis module 20 will be described. The analysis module 20 determines whether the interrupt or event is allowed or disallowed by referring to the setting contents stored in the setting list 50 for the interrupt or event intercepted by the sensing module 10. To this end, the analysis module 20 first analyzes the interrupt or event to determine whether to request a change to the file. When requesting a change to a file, the analysis module 20 checks whether the target file is an executable file. In this case, when the name of the file is not displayed in the interrupt or event, the address of the storage space in which the file is stored is searched for, and the file name is searched by searching the FAT for the file of the address. If the name is identified as described above, it is possible to confirm whether the file is an executable file by the extension of the file. In this case, since the UNIX-based system cannot verify whether the executable file is executable through the extension as described above, the file is configured to verify the executable file by checking the permission of the file.

When the target file is an executable file as described above, the analysis module 20 checks whether the change request is allowed by comparing with the list stored in the setting list 50. If the program calling the interrupt or event is in the list of allowed programs stored in the setting list 50, the change is allowed and if it is not stored, it is determined as an unauthorized request.

Next, the processing module 30 will be described. The processing module 30 processes the interrupt or event related to the file handling according to the result after receiving the result analyzed by the analysis module 20. As described above, discarding interrupts or events related to file handling can be configured in two ways. One is to send an error message after discarding the interrupt or event related to file handling to notify the user to confirm that the user has requested a change in the executable file, which activates the computer's protection function. This is to change the function after stopping the function when a change request is made in the state of being in progress.

In addition, an error message is not generated after the interruption or an event related to file handling is discarded, so that the user is not notified of any error. This causes the error message when a plurality of users use a computer. This is to ensure that no messages are delivered to the user to reduce any confusion that may occur. The allowed interrupt or event is then configured to return to normal execution.

Next, the setting module will be described. The configuration module updates or updates the configuration list 50 by adding or deleting settings (for example, a list of files to be allowed to change executable files) input by a user or an administrator. The setting module may be configured to allow a user or an administrator to remotely change the setting list 50 by allowing access through a network. If the setting module stops the function, the interruption of the interrupt or event is stopped in the detection step described later. Accordingly, the interrupt or event is delivered to the corresponding original part and normally performed. In addition, the setting module may be configured to enable finer control by setting an interrupt or an event to be blocked in detail. That is, it is possible to set whether to block changes to all executable files, to allow only changes by specific programs or processes, to allow all changes, and the like. This is to change the executable file when installing or updating a new program while the computer is in use, so that the function can be temporarily suspended or allowed to be installed or updated. In addition, the programmer may continue to generate an executable file during the writing of the program through a program language program, so that the executable file may be changed by the program language program. The information set as described above is stored in the setting list 50 and the setting list 50 is referred to when determining whether to allow the change of the executable file in the analyzing step.

Hereinafter, a description will be given of a system in which an executable file is protected. The system in which the executable file is protected is composed of a client 100 and a server 60.

The client 100 is provided with the detection module 10, the analysis module 20, the processing module 30, and the setting list 50, which is connected to a network with a computer that can prevent viruses. The client 100 is further provided with a setting module for changing the setting list 50 so that a user or an administrator can change the setting list 50. The setting module is configured to change the setting list 50 directly on the client 100 or to access and change from the outside through a network. In this case, the authentication information regarding the server 60 that can change the setting list 50 by accessing the client 100 in the setting list 50 or any storage space of the client 100 when changing through the network. Is stored. The authentication information includes unique contents of the server 60 such as an IP address, a MAC address, and a password of the server 60. The reason for storing the authentication information of the server 60 as described above is to prevent the hacker from accessing to change the configuration list 50 from the outside.

The server 60 is connected to the client 100 through a network and managed by an administrator. The server 60 is provided with a program that can be connected to the setting module of the client 100. At this time, a program that can access the setting module delivers authentication information. The authentication information is information for identifying the server 60 such as an IP address, a MAC address, a password, and a specific word of the server 60. When the authentication information is transmitted to the client 100 and compared with the authentication information stored in the client 100, the authentication information may be obtained to change the setting list 50 of the client 100. Thereafter, the setting module 50 of the computer may be changed through the setting module to perform or stop a virus or the like, or to allow or disable a specific program. Here, the server 60 may be configured to change the setting list 50 of the plurality of clients 100 connected to the server 60 at the same time instead of configuring the client 100 one by one.

Hereinafter, with reference to the accompanying drawings will be described the operation and effect of the computer protection method and computer and system through real-time monitoring of the present invention.

First, a network interface card equipped with a flash memory storing a computer protection method through real-time monitoring of the present invention is mounted on a computer. When the network device driver of the network interface card is installed, the code included in the device driver is configured to intercept an interrupt or an event generated by the computer before the kernel 40 processes it. do.

After installing the device driver, the server 60 transmits the authentication information while making a connection request to the computer and allows the server 60 to access the setting list 50 after checking the authentication information on the computer. do. Accordingly, the setting list 50 is modified to set a protection function such as a virus.

Afterwards, when a virus such as a virus flows into the computer, the virus is stored on one side of the hard disk, or a file (for example, an MS Word file) containing arbitrary executable files or macros is executed. Attempts to infect files or files with macros. When the virus or the like instructs a process of the computer to infect an existing executable file stored on a hard disk, an instruction is made to change the contents of the executable file to insert its code into the executable file.

The event is delivered to the kernel 40 and a sensing step is performed in the sensing module 10 before the kernel 40 corresponds to the event to intercept the event.

The analysis module 20 then proceeds with the analysis step to analyze the intercepted event. As described above, the event generated by the virus requests a change of the file and the analysis module 20 determines that the request is not allowed because the executable file has an extension of the target file "exe".

When the analysis module 20 transmits the analysis result and the event to the processing module 30, the processing module 30 performs a processing step so that the change of the file cannot be performed by discarding the event. Therefore, it is possible to prevent the virus from infecting existing executable files stored in the hard disk.

If a new file is copied to itself instead of being infected with another file, such as a worm, an event related to the execution of the executable file occurs because the worm must be in the form of an executable file. However, since the event is not allowed, the event can be discarded to protect the file.

When a virus or the like is being executed, the execution file cannot be changed. Therefore, when installing a new program or deleting or updating an existing program, the function must be paused through the setting module.

As described above, a computer and a system having a computer protection method and a virus protection function through real-time monitoring of the present invention can prevent the storage of viruses and the like, thereby preventing the infection of viruses and the like. In addition, previously infected viruses and the like can prevent additional infections, thereby preventing the spread of viruses.

Claims (15)

In a method of protecting the operating system and applications of the computer from malicious code, such as viruses, A setting step of setting whether to allow the change of the executable file; Detecting and intercepting an interrupt or an event related to file handling occurring inside a computer; Analyzing the interrupt or event intercepted in the detecting step to determine whether the request is related to an executable file change and to determine whether the request for the executable file change is permitted in the setting step; A processing step of determining whether to discard or return the interrupt or event according to whether or not to allow the change of the executable file in the analysis step; Computer protection method through the real-time monitoring, characterized in that the. The method of claim 1, wherein the setting step, Method for protecting the computer through the real-time monitoring, characterized in that for setting whether to perform or stop at least one function of the detection step, analysis step, processing step. The change of the executable file of claim 1 or 2, A method for protecting a computer through real-time monitoring, comprising at least one of: creating, copying, moving, changing an executable file, changing a file name or extension, modifying a file content, merging a file, and dividing a file. The method of claim 1, wherein the setting step, Method for protecting the computer through the real-time monitoring, characterized in that separately set whether to allow per program or process requesting the change of the executable file. The method of claim 1, wherein the detecting step, Computer protection method through real-time monitoring, characterized in that included in the kernel and file system driver or linked to operate. The method of claim 1, wherein the analyzing step, A method of protecting a computer through real-time monitoring, wherein the extension of the target file or the permission of the file is checked to determine whether the request is for an executable file. The method of claim 1, wherein the processing step, And discarding the interrupt or event to deliver an error message to indicate to the user that the request was denied. The method of claim 1, wherein the processing step, And not generating any error message after discarding the interrupt or event to prevent any notification to the user. A setting list in which permission to change an executable file is stored; A detection module that detects and intercepts the occurrence of an interrupt or event related to file handling; An analysis module which analyzes the interrupt or event detected by the detection module to determine whether a change request is made to an executable file, and compares the setting list with the setting list to determine whether to allow the change; A processing module for discarding or returning the interrupt or an event according to an analysis result of the analysis module; protection for executable files stored therein according to a computer protection method through real-time monitoring is provided. Computer protection system. The method of claim 9, wherein the setting list, Computer protection system through real-time monitoring, characterized in that the storage is stored in the computer storage space or flash memory attached to the computer. The method of claim 10, wherein the flash memory, Computer protection system through real-time monitoring, characterized in that installed in the network interface card. The method of claim 9, wherein the setting list, Computer protection system through the real-time monitoring, characterized in that for storing the permission of the change of the executable file for each program. The method of claim 9 Computer protection through real-time monitoring, characterized in that it further comprises; a configuration module that receives whether the execution of the method of protecting the executable file and the list of programs that allow the change of the executable file is stored in the setting list; system. A client installed with a computer protection system through real-time monitoring and connected to a network; And a server connected to the client through a network and accessing the client to change the configuration list of the client. 2. The method of claim 14, wherein the client, And a server to allow access, and when the server-side connection request is received, the executable file is protected by comparing the authentication information received from the server and allowing the access.