KR20110100924A - Malignancy code infection blocking apparatus and method using executive file - Google Patents

Malignancy code infection blocking apparatus and method using executive file Download PDF

Info

Publication number
KR20110100924A
KR20110100924A KR1020100020016A KR20100020016A KR20110100924A KR 20110100924 A KR20110100924 A KR 20110100924A KR 1020100020016 A KR1020100020016 A KR 1020100020016A KR 20100020016 A KR20100020016 A KR 20100020016A KR 20110100924 A KR20110100924 A KR 20110100924A
Authority
KR
South Korea
Prior art keywords
executable file
blocking
file
agent system
executable
Prior art date
Application number
KR1020100020016A
Other languages
Korean (ko)
Other versions
KR101138746B1 (en
Inventor
이재한
Original Assignee
주식회사 안철수연구소
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안철수연구소 filed Critical 주식회사 안철수연구소
Priority to KR20100020016A priority Critical patent/KR101138746B1/en
Priority to CN201180012046XA priority patent/CN102918541A/en
Priority to PCT/KR2011/001469 priority patent/WO2011108864A2/en
Publication of KR20110100924A publication Critical patent/KR20110100924A/en
Application granted granted Critical
Publication of KR101138746B1 publication Critical patent/KR101138746B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Abstract

An apparatus for blocking malicious code using an executable file according to an embodiment of the present invention includes a database in which original DNA values of respective executable files stored in an agent system are stored, and a blocking mode for blocking movement, change, or generation of executable files. In the blocking mode, if any executable file on the agent system is changed, the blocking module backs up the original executable file before the change, and if there is a request for execution for a specific executable file on the agent system, It determines whether to execute a specific executable file by comparing the original DNA value of the specific executable file stored in the database. If the specific executable file is an arbitrary executable file, it includes a file execution module for recovering and executing the original backup file.
As such, the present invention prevents executable files including malicious code from being generated or changed by malicious codes by preventing the executable files in the agent system from being moved, deleted, changed, or created. It can protect your system from malicious code without updating.

Description

Device and method for blocking malicious code using executable file {MALIGNANCY CODE INFECTION BLOCKING APPARATUS AND METHOD USING EXECUTIVE FILE}

The present invention relates to blocking malicious code, and more particularly, to block executable files in an agent system from being moved, deleted, changed, or created so that executable files including malicious code are generated in the agent system or executable files are generated by malicious code. The present invention relates to a malicious code blocking device and method using an executable file that can be prevented from being changed.

In general, in order to prevent malware infection on a dedicated agent system, such as a dedicated personal computer device, an antivirus product for a client having an antivirus engine is installed to prevent infection of malware. In order to prevent malware infection, existing anti-virus engines need to update their anti-virus engines regularly on their personal computers, as well as update their security.

On the other hand, the malicious code blocking method used by the administrator on a computer system with a dedicated function blocks execution of an unspecified file in parallel with the malware diagnosis program. In order to block execution of an unspecified file, the existing Secure OS On the installed system, set the rule by combining the file's path name, file name, and hash, and block the execution or reading of the file that does not meet the set rule.

However, there is a problem in that the computer system cannot perform the necessary functions because the misdiagnosis often causes the deletion of files necessary for the computer system when the malicious code is used to repair the malicious code in the computer system. However, there is a problem that files in the computer system are changed by malicious code.

In order to solve the above problems, an object of the present invention is to provide malicious code for a specific executable file when executing the specific executable file in a blocking mode that blocks movement, deletion, change, or creation of the executable file installed in the agent system. Execution or blocking is executed by comparing the DNA value of the scanned specific executable file with the original DNA value stored in the database, and the executable file containing the malicious code is generated without any complicated rules. The present invention provides an apparatus and method for preventing malicious code using an executable file that can prevent the executable files from being changed.

The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.

In order to achieve the object of the present invention, an apparatus for preventing malicious code using an executable file according to an embodiment of the present invention includes a database storing original DNA values for each executable file stored in an agent system, movement of the executable files, A blocking module for setting a blocking mode for blocking a change or creation, and when an executable file in the agent system is changed in the blocking mode, a blocking module for backing up the original executable file before the change, and for a specific executable file in the agent system When there is an execution request, it is determined whether to execute the specific executable file by comparing the DNA value of the specific executable file with the original DNA value of the specific executable file stored in the database, and wherein the specific executable file is the arbitrary executable file. If the original backup file is restored by running Contains file execution modules.

The malicious code blocking apparatus using the executable file according to an embodiment of the present invention, when there is a request for updating the executable file in the agent system, compares the executable files by comparing the DNA value of each executable file in the agent system with a database. It may include a block release module for determining whether to release the blocking mode by checking the presence or absence of the change.

In the apparatus for blocking malicious code using an executable file according to an embodiment of the present disclosure, the blocking module may set the blocking mode according to a request of a management server connected through a communication network.

In the malicious code blocking apparatus using an executable file according to an embodiment of the present invention, when there is a request to execute the specific executable file in the blocking mode, the malicious code blocking apparatus performs a malicious code scan on the specific executable file, and then the specific scan is completed. It may further include a malicious code inspection module for providing an executable file to the file execution module.

In the malicious code blocking device using the executable file according to an embodiment of the present invention, the malicious code inspection module may generate a notification message based on a malicious code scan result for the specific executable file.

In the malicious code blocking device using an executable file according to an embodiment of the present invention, the notification message may be generated in the form of a log, a notification window, or an e-mail.

In the malicious code blocking apparatus using the executable file according to an embodiment of the present invention, the file execution module blocks execution of the specific executable file when the DNA value of the specific executable file does not match the original DNA value stored in the database. In addition, the test may be requested by transmitting the DNA value of the specific executable file to a management server connected through a communication network.

The malicious code blocking apparatus using an executable file according to an embodiment of the present invention, the agent system in the administrator mode that can move, delete, create or change any executable file in response to the administrator of the agent system in the blocking mode. It may further include an administrator module for setting the.

An apparatus for blocking malicious code using an executable file according to an embodiment of the present invention uses DNA values of the updated executable files as executable files in the agent system are updated after the blocking mode is released by the unblocking module. It may further include an update module for updating the database.

In the malicious code blocking apparatus using an executable file according to an embodiment of the present invention, the blocking module may reset the agent system to the blocking mode when the database is updated.

In another aspect, the malicious code blocking method using an executable file according to an embodiment of the present invention is to calculate the original DNA value for each of the executable files stored in the agent system to store in the database, and when the agent system is driven, Setting a blocking mode for blocking movement, deletion, creation, or change of executable files; and checking whether a malicious code is infected with the specific executable file when there is a request for execution of the specific executable file in the agent system; And calculating a DNA value of the specific executable file when the test is completed, comparing the calculated DNA value with an original DNA value of the specific executable file stored in the database, and blocking the specific executable file if it does not match. It comprises the step of.

In the malicious code blocking method using an executable file according to an embodiment of the present invention, determining whether there is a change request for any executable file in the blocking mode state, and if the change request is received, the arbitrary executable file is changed. Backing up the original arbitrary executable file before the change and changing the arbitrary executable file, and recovering and executing the backed up original executable file if there is a request for execution of the changed arbitrary executable file. It may further include.

Restoring the arbitrary executable file in the malicious code blocking room using the executable file according to an embodiment of the present invention, when there is an execution request for the changed arbitrary executable file, the malicious code for the changed arbitrary executable file Determining the deletion of the modified arbitrary executable file by comparing the DNA value of the modified arbitrary executable file with the DNA value stored in the database; It may include the step of restoring to run.

In the malicious code blocking method using an executable file according to an embodiment of the present invention, the checking whether the malicious code is infected includes checking whether the malicious code is infected with the changed executable file, and as a result of the checking, the modified random file is detected. When the executable file is infected with malicious code, the method may further include generating only a notification message and providing the same to an administrator of the agent system.

The present invention prevents executable files including malicious code from being created or modified by malicious codes by blocking moving, deleting, changing, or creating executable files in the agent system. The effect is to protect the system from code.

In addition, the present invention prevents moving, deleting, changing, or creating an executable file installed in an agent system, and executes the executable file through comparison between the original DNA value stored in the database and the DNA value of the executable file when executing the executable file; By blocking them, you can improve the security of your agent system with fewer resources without updating your antivirus engine or your system.

1 is a block diagram showing a malicious code blocking device and its surrounding configuration for blocking malicious code according to an embodiment of the present invention,
2 is a flowchart illustrating a process of blocking malicious code by an apparatus for blocking malicious code according to an embodiment of the present invention.

The objects and effects of the present invention and the technical configurations for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intentions or customs of the user, the operator, and the like.

The present invention can be embodied as computer-readable codes on a computer-readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CO-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which may also be implemented in the form of carrier waves (for example, transmission over the Internet). Include. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. The present embodiments are merely provided to complete the disclosure of the present invention and to fully inform the scope of the invention to those skilled in the art, and the present invention is defined by the scope of the claims. It will be. Therefore, the definition should be based on the contents throughout this specification.

In an embodiment of the present invention, blocking the movement, deletion, change, or creation of an executable file installed in an agent system, and when the specific executable file is executed in the blocking mode, the malware is infected with the specific executable file and then scanned. This article describes a malicious code blocking device and method using an executable file that executes or blocks an executable file by comparing the DNA value of a specific executable file with an original DNA value stored in a database.

Hereinafter, with reference to the accompanying drawings will be described an embodiment of the present invention;

1 is a block diagram illustrating a malicious code blocking device and its surrounding configuration for blocking malicious code according to an embodiment of the present invention, the malware blocking device 100 and the agent system and the wired and wireless communication network largely installed in the agent system It consists of a management server 150 connected through.

The agent system is a low specification terminal, and examples thereof include a terminal for managing a factory system, a POS system, a production management system, and the like. The anti-malware device 100 is installed in such an agent system. The anti-malware device 100 may include a blocking module 102, a file execution module 104, an unblocking module 106, an administrator module 108, Update module 110, malware inspection module 112, and database 114.

In the database 114 according to an embodiment of the present invention, original DNA values of parts of each executable file stored in the agent system are stored. Here, the executable file may include a general EXE file, a script file having executable code, a document file having a script function, and the like, and the DNA value may be a value obtained by applying a CRC-based hash function.

The blocking module 102 is a means for setting a blocking mode for blocking movement, deletion, creation, or change of executable files in the agent system. When the agent system is initially started, the blocking module 102 moves the executable files by setting the agent system to the blocking mode. Blocks deletion, creation, or change

Meanwhile, the blocking module 102 backs up the original arbitrary executable file before the change when any executable file is changed in the blocking mode state, and deletes the changed executable file when there is an execution request for the changed executable file. By blocking the execution of the changed arbitrary executable file, and then providing the backed up original arbitrary executable file to the file execution module 104 to execute the backed up original arbitrary executable file.

The blocking module 102 may block any executable file that has not been changed by comparing the DNA value of the changed executable file with the DNA value stored in the database 114. .

The file execution module 104 executes the backed up original arbitrary executable file provided from the blocking module 102, and executes the execution by comparing the backed up original arbitrary executable file with the DNA value stored in the database 114. Decide

That is, the file execution module 104 is a means that operates when there is a request for execution of a specific executable file in an agent system. The file execution module 104 calculates the DNA value of the specific executable file and then executes the calculated DNA value and the specific execution stored in the database 114. By comparing the original DNA values of the files, it checks whether a specific executable file has been changed and executes or blocks the execution of the specific file based on the test result.

In addition, the file execution module 104 is a DNA of a specific executable file to the management server 150 connected through a wired or wireless communication network if the DNA value of the specific executable file and the original DNA value of the specific executable file stored in the database 114 does not match You can send a value to request a scan for a particular executable.

The unblocking module 106 is a means for operating when an update request for an executable file in the agent system or a request from an administrator of the agent system is requested. The unblocking module 106 calculates a DNA value for each executable file in the agent system, The blocking mode is released after checking whether each of the executable files has been changed by comparing the original DNA values stored in the database 114.

That is, the unblocking module 106 checks whether the executable files in the agent system have been changed by checking whether the original DNA value stored in the database 114 and the DNA value of each of the executable files in the agent system match. It determines the release of the blocking mode set by the administrator, and according to the release of the blocking mode, the administrator can install a new program or change or delete files in the agent system.

The administrator module 108 may move, delete, create, or change a specific executable file for the treatment or deletion of malicious code files that the agent system does not recognize at the request of the administrator while the agent system operates in the blocking mode. Provides an interface for setting the administrator mode.

In other words, the manager module 108 provides an interface for setting the agent system to the manager mode in the blocked mode.

The update module 110 updates the original DNA values stored in the database 114 using the DNA values of the executable files updated as the executable files in the agent system are updated after the blocking mode is released by the unblocking module 106. Let's do it. In this manner, as the update of the database 114 is completed, the blocking module 102 sets the agent system to the blocking mode.

The malicious code checking module 112 is a means for performing a malicious code checking on files in the agent system at a predetermined cycle or a request for execution of a specific file in the agent system.

In an embodiment of the present invention, when the executable file in the agent system is changed or when there is a request for execution of a specific executable file, the malicious code scan module 112 determines whether the malicious code is infected by examining the changed executable file or the specific executable file, Based on the determination result, a predetermined notification message may be provided. In this case, the notification message may be generated by generating a log, generating a notification window, or sending an email to an administrator's email.

In general, the agent system is determined to be a normal file instead of a malicious code in the malware inspection module 112 at the time of switching to the blocking mode, but the engine update of the malware inspection module 112 afterwards results in malicious code. Malware can be identified as a malicious file with an incorrect update. In this case, the malware inspection module 112 according to an embodiment of the present invention provides the administrator with a scan result for a specific file in the form of a notification message, so that the administrator of the agent system uses the administrator module 108 in the administrator mode. By setting the agent system, you can manually move, delete, create, or change the executable files in the agent system in the blocking mode.

In the exemplary embodiment of the present invention, the blocking module 102 sets the blocking mode by itself, for example. However, the blocking module 102 may set the blocking mode by control from the management server 150 connected through the wired / wireless communication network. Here, the management server 150 may be operated by an antivirus service provider that may provide a function for updating the malware information of the agent system malware inspection module 112, and manage a plurality of agent systems. Can be. That is, the management server 150 may request a plurality of agent systems to set a blocking mode, and accordingly, the malicious code blocking apparatus 100 of the plurality of agent systems sets a blocking mode to move, delete, or create executable files. You can block changes.

According to an embodiment of the present invention, by blocking the execution files in the agent system to be moved, deleted, changed or created by using the blocking module 102, an executable file containing malicious code is added or existing by the malicious code. You can prevent the executables from changing.

A process of blocking the malicious code by operating the malicious code blocking device 100 having the above configuration will be described with reference to FIG. 2.

2 is a flowchart illustrating a process of blocking malicious code by an apparatus for blocking malicious code according to an embodiment of the present invention.

As shown in FIG. 2, the malicious code blocking apparatus 100 of the agent system calculates an original DNA value for each part of each executable file and stores the original DNA value in the database 114 (S200).

Then, the blocking module 102 sets a blocking mode for blocking execution files from being moved, deleted, created or changed (S202).

Thereafter, the file execution module 104 of the malicious code blocking apparatus 100 determines whether there is a request for executing a specific execution file (S204).

As a result of the determination of S204, when there is an execution request for a specific executable file, the malicious code scanning module 112 checks whether a malicious code is infected with the specific executable file using a preset antivirus engine, and notifies based on the scan result. After generating a message, the message is provided to the manager of the agent system (S206). For example, if a particular executable file is infected with malicious code, the malware inspection module 112 generates only a notification message indicating that the specific executable file is infected with malware without cleaning, ie, modifying or deleting the specific executable file. Should be provided to the administrator. The specific executable file checked by the malicious code inspection module 112 is provided to the file execution module 104.

On the other hand, the file execution module 104 calculates the DNA value of the specific executable file that has been scanned for malicious code (S208), and compares it by comparing the calculated DNA value with the original DNA value of the specific executable file stored in the database 114. It is determined whether (S210).

As a result of the determination of S210, when the calculated DNA value and the original DNA value match, the file execution module 104 executes a specific executable file (S212), otherwise the blocking module 102 performs a backup file for the specific executable file. It is determined whether there exists (S214).

As a result of the determination of S214, when the backup file exists, the blocking module 102 deletes a specific execution file (S216) and then provides the backup file to the file execution module 104 to execute it (S218).

On the other hand, when the determination result of S214, if the backup file does not exist, the blocking module 102 deletes the specific executable file and transmits the DNA value of the specific executable file to the management server 150 through the wired or wireless communication network to the specific executable file. It may request a test for malware infection (S220).

On the other hand, the malicious code blocking device 100 of the agent system determines from the administrator whether there is an update request for the executable file in the agent system (S222).

As a result of the determination of S222, when there is an update request, the unblocking module 106 calculates DNA values for all executable files in the agent system and then compares the calculated DNA values with original DNA values stored in the database 114. If there is a match, the blocking mode set by the blocking module 102 is released. Accordingly, the administrator can update the executable files in the agent system by installing a new program or moving, deleting or changing an existing executable file on the agent system. have. As the update of the executable files is completed, the update module 110 calculates an original DNA value using the updated executable files in the agent system and updates the database 114 based on the original DNA value (S224).

As described above, as the update is completed (S226), the blocking module 102 resets the blocking mode to protect the executable files in the agent system (S228), and the malicious code blocking device 100 of the agent system receives the malicious code from the administrator. It is determined whether there is a request for release of the blocking mode for examination and treatment (S230).

As a result of the determination in S230, when there is a request for releasing the blocking mode from the administrator, the administrator module 108 of the malicious code blocking apparatus 100 releases the blocking mode set by the blocking module 102, such that the administrator moves any executable file. , Can be deleted or changed (S232).

According to an embodiment of the present invention, it is possible to block moving, deleting, changing, or generating an executable file installed in the agent system, and comparing the original DNA value stored in the database 114 with the DNA value of the executable file when executing the executable file. By running or blocking executable files, you can improve the security of the agent system with fewer resources without updating the antivirus engine or updating the system.

The present invention has been described above with reference to specific embodiments of the present invention, but this is only illustrative and does not limit the scope of the present invention. Those skilled in the art can change or modify the described embodiments without departing from the scope of the present invention. Each of the functional blocks or means described in the present specification may be implemented in a program form, and may be implemented separately, or two or more may be integrated into one. Components such as modules described as separate in the specification and claims may be merely functionally distinct and may be physically implemented by one means, and components such as means described as a single element may be divided into several components. It can be made in combination. In addition, each method step described herein may be changed in order without departing from the scope of the present invention, and other steps may be added. In addition, the various embodiments described herein may be implemented independently as well as each other as appropriate. Therefore, the scope of the invention should be defined by the appended claims and their equivalents, rather than by the described embodiments.

100: malware blocking device 102: blocking module
104: file execution module 106: unblocking module
108: manager module 110: update module
112: database 150: management server

Claims (14)

A database storing original DNA values for each executable file stored in the agent system;
A blocking module for setting a blocking mode for blocking movement, change, or creation of the executable files, and backing up the original executable file before the change when any executable file in the agent system is changed in the blocking mode;
When there is a request for execution of a specific executable file in the agent system, it is determined whether to execute the specific executable file by comparing the DNA value of the specific executable file with the original DNA value of the specific executable file stored in the database. If the executable file is the arbitrary executable file includes a file execution module for recovering and executing the original backup executable file;
Anti-malware device using executable file.
The method of claim 1,
When there is a request for an update of the executable file in the agent system, it is determined whether to release the blocking mode by checking the DNA value of each executable file in the agent system and the database and checking whether there is a change in the executable files. With unblocking module
Anti-malware device using executable file.
The method of claim 1,
The blocking module may set the blocking mode according to a request of a management server connected through a communication network.
Anti-malware device using executable file.
The method of claim 1,
The malicious code blocking device,
In the blocking mode state, if there is a request for execution of the specific executable file further includes a malicious code inspection module that performs only the malicious code scan for the specific executable file and provides the specific executable file to the file execution module complete the scan doing
Anti-malware device using executable file.
The method of claim 4, wherein
The malware inspection module,
Generating a notification message based on a result of a malicious code scan for the specific executable file
Anti-malware device using executable file.
The method of claim 5, wherein
The notification message is generated in the form of a log, a notification window or an e-mail.
Anti-malware device using executable file.
The method of claim 1,
The file execution module,
If the DNA value of the specific executable file and the original DNA value stored in the database do not match, the execution of the specific executable file is blocked and the DNA value of the specific executable file is transmitted to the management server connected through the communication network for inspection. Request
Anti-malware device using executable file.
The method of claim 1,
The malicious code blocking device,
Further comprising a manager module for setting the agent system to the administrator mode that can move, delete, create or change any executable file in response to the manager of the agent system in the blocking mode.
Anti-malware device using executable file.
The method of claim 1,
The malicious code blocking device,
And updating the database by using the DNA values of the updated executable files as the executable files in the agent system are updated after the blocking mode is released by the unblocking module.
Anti-malware device using executable file.
The method of claim 9,
The blocking module resets the agent system to the blocking mode when the database is updated.
Anti-malware device using executable file.
Calculating an original DNA value for each executable file stored in the agent system and storing it in a database;
When the agent system is running, setting a blocking mode for blocking movement, deletion, creation, or change of the executable files;
Checking whether the agent system is infected with malicious code when the execution request for a specific executable file is received from the agent system;
Calculating a DNA value of the specific executable file upon completion of the test;
Comparing the calculated DNA value with an original DNA value of the specific executable file stored in the database and blocking the specific executable file if it does not match.
How to block malware using executable files.
The method of claim 11,
The malicious code blocking method,
Determining whether there is a change request for any executable file in the blocking mode;
Changing the arbitrary executable file after backing up the original arbitrary executable file before the arbitrary executable file is changed when the change request is made;
Recovering and executing the backed up original arbitrary executable file when there is a request for executing the changed arbitrary executable file;
How to block malware using executable files.
The method of claim 12,
Restoring and executing the arbitrary executable file,
If there is a request to execute the changed executable file, checking whether the malicious code is infected with the changed executable file;
Determining deletion for the modified arbitrary executable file by comparing the DNA value for the modified arbitrary executable file with the DNA value stored in the database;
Recovering and executing the original backup executable file;
How to block malware using executable files.
The method of claim 13,
The step of checking whether the malicious code is infected,
Checking whether the modified executable file is infected with a malicious code, and generating only a notification message for providing the administrator with the agent system when the modified executable file is infected with a malicious code as a result of the scan; doing
How to block malware using executable files.
KR20100020016A 2010-03-05 2010-03-05 Apparatus and method for preventing malicious codes using executive files KR101138746B1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
KR20100020016A KR101138746B1 (en) 2010-03-05 2010-03-05 Apparatus and method for preventing malicious codes using executive files
CN201180012046XA CN102918541A (en) 2010-03-05 2011-03-03 Device and method for blocking malicious code using executable files
PCT/KR2011/001469 WO2011108864A2 (en) 2010-03-05 2011-03-03 Device and method for blocking malicious code using executable files

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR20100020016A KR101138746B1 (en) 2010-03-05 2010-03-05 Apparatus and method for preventing malicious codes using executive files

Related Child Applications (1)

Application Number Title Priority Date Filing Date
KR1020120009240A Division KR20120039569A (en) 2012-01-30 2012-01-30 Apparatus for preventing malicious codes using executive files

Publications (2)

Publication Number Publication Date
KR20110100924A true KR20110100924A (en) 2011-09-15
KR101138746B1 KR101138746B1 (en) 2012-04-24

Family

ID=44542724

Family Applications (1)

Application Number Title Priority Date Filing Date
KR20100020016A KR101138746B1 (en) 2010-03-05 2010-03-05 Apparatus and method for preventing malicious codes using executive files

Country Status (3)

Country Link
KR (1) KR101138746B1 (en)
CN (1) CN102918541A (en)
WO (1) WO2011108864A2 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105653974B (en) * 2015-12-23 2019-07-23 北京奇虎科技有限公司 A kind of document means of defence and device

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100684986B1 (en) * 1999-12-31 2007-02-22 주식회사 잉카인터넷 Online dangerous information screening system and method
US20030115458A1 (en) * 2001-12-19 2003-06-19 Dongho Song Invisable file technology for recovering or protecting a computer file system
US8060867B2 (en) * 2004-05-20 2011-11-15 Computer Associates Think, Inc. Systems and methods for excluding user specified applications
KR100690187B1 (en) * 2005-06-21 2007-03-09 주식회사 안철수연구소 Method and apparatus and system for cutting malicious codes
KR100870140B1 (en) * 2006-11-13 2008-11-24 한국전자통신연구원 Detection Apparatus and Method of Embedded Malicious Code in File
US20080115219A1 (en) * 2006-11-13 2008-05-15 Electronics And Telecommunications Research Apparatus and method of detecting file having embedded malicious code
KR100918626B1 (en) * 2007-08-02 2009-09-25 주식회사 플랜티넷 Method for verifying application programs and controlling the execution thereof
KR100942798B1 (en) * 2007-11-29 2010-02-18 한국전자통신연구원 Apparatus and method for detecting a virus code
KR100968267B1 (en) * 2008-06-13 2010-07-06 주식회사 안철수연구소 Apparatus and method for checking virus program by distinguishing compiler
CN101359353B (en) * 2008-09-05 2011-05-18 成都市华为赛门铁克科技有限公司 File protection method and device

Also Published As

Publication number Publication date
WO2011108864A3 (en) 2012-01-12
CN102918541A (en) 2013-02-06
WO2011108864A2 (en) 2011-09-09
KR101138746B1 (en) 2012-04-24

Similar Documents

Publication Publication Date Title
US8612398B2 (en) Clean store for operating system and software recovery
US7398399B2 (en) Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network
EP3712793B1 (en) Integrity assurance during runtime
US11579985B2 (en) System and method of preventing malware reoccurrence when restoring a computing device using a backup image
US7475427B2 (en) Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
US11455400B2 (en) Method, system, and storage medium for security of software components
JP6644001B2 (en) Virus processing method, apparatus, system, device, and computer storage medium
US8533818B1 (en) Profiling backup activity
RU2487405C1 (en) System and method for correcting antivirus records
US20130160126A1 (en) Malware remediation system and method for modern applications
US20100262584A1 (en) Disinfecting a file system
US20130067577A1 (en) Malware scanning
US11120147B2 (en) Operating system garbage-collection with integrated clearing of sensitive data
CN109565522B (en) Detecting bulk operations associated with remotely stored content
AU2014207540A1 (en) Systems and methods for identifying and reporting application and file vulnerabilities
JP2010160791A (en) Context-aware real-time computer protection system and method
US10579796B1 (en) Systems and methods of detecting malicious powershell scripts
US11477232B2 (en) Method and system for antivirus scanning of backup data at a centralized storage
US8572730B1 (en) Systems and methods for revoking digital signatures
KR101974989B1 (en) Method and apparatus for determining behavior information corresponding to a dangerous file
JP2016189201A (en) Inoculator and antibody for computer security
KR101138746B1 (en) Apparatus and method for preventing malicious codes using executive files
US10848463B2 (en) Listen mode for machine whitelisting mechanisms
CN104424429A (en) Document behavior monitoring method and user equipment
KR20120039569A (en) Apparatus for preventing malicious codes using executive files

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
AMND Amendment
E601 Decision to refuse application
A107 Divisional application of patent
AMND Amendment
X701 Decision to grant (after re-examination)
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20150416

Year of fee payment: 4

FPAY Annual fee payment

Payment date: 20160418

Year of fee payment: 5

FPAY Annual fee payment

Payment date: 20170417

Year of fee payment: 6

FPAY Annual fee payment

Payment date: 20180416

Year of fee payment: 7

FPAY Annual fee payment

Payment date: 20190416

Year of fee payment: 8