KR20110100924A - Malignancy code infection blocking apparatus and method using executive file - Google Patents
Malignancy code infection blocking apparatus and method using executive file Download PDFInfo
- Publication number
- KR20110100924A KR20110100924A KR1020100020016A KR20100020016A KR20110100924A KR 20110100924 A KR20110100924 A KR 20110100924A KR 1020100020016 A KR1020100020016 A KR 1020100020016A KR 20100020016 A KR20100020016 A KR 20100020016A KR 20110100924 A KR20110100924 A KR 20110100924A
- Authority
- KR
- South Korea
- Prior art keywords
- executable file
- blocking
- file
- agent system
- executable
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
Abstract
An apparatus for blocking malicious code using an executable file according to an embodiment of the present invention includes a database in which original DNA values of respective executable files stored in an agent system are stored, and a blocking mode for blocking movement, change, or generation of executable files. In the blocking mode, if any executable file on the agent system is changed, the blocking module backs up the original executable file before the change, and if there is a request for execution for a specific executable file on the agent system, It determines whether to execute a specific executable file by comparing the original DNA value of the specific executable file stored in the database. If the specific executable file is an arbitrary executable file, it includes a file execution module for recovering and executing the original backup file.
As such, the present invention prevents executable files including malicious code from being generated or changed by malicious codes by preventing the executable files in the agent system from being moved, deleted, changed, or created. It can protect your system from malicious code without updating.
Description
The present invention relates to blocking malicious code, and more particularly, to block executable files in an agent system from being moved, deleted, changed, or created so that executable files including malicious code are generated in the agent system or executable files are generated by malicious code. The present invention relates to a malicious code blocking device and method using an executable file that can be prevented from being changed.
In general, in order to prevent malware infection on a dedicated agent system, such as a dedicated personal computer device, an antivirus product for a client having an antivirus engine is installed to prevent infection of malware. In order to prevent malware infection, existing anti-virus engines need to update their anti-virus engines regularly on their personal computers, as well as update their security.
On the other hand, the malicious code blocking method used by the administrator on a computer system with a dedicated function blocks execution of an unspecified file in parallel with the malware diagnosis program. In order to block execution of an unspecified file, the existing Secure OS On the installed system, set the rule by combining the file's path name, file name, and hash, and block the execution or reading of the file that does not meet the set rule.
However, there is a problem in that the computer system cannot perform the necessary functions because the misdiagnosis often causes the deletion of files necessary for the computer system when the malicious code is used to repair the malicious code in the computer system. However, there is a problem that files in the computer system are changed by malicious code.
In order to solve the above problems, an object of the present invention is to provide malicious code for a specific executable file when executing the specific executable file in a blocking mode that blocks movement, deletion, change, or creation of the executable file installed in the agent system. Execution or blocking is executed by comparing the DNA value of the scanned specific executable file with the original DNA value stored in the database, and the executable file containing the malicious code is generated without any complicated rules. The present invention provides an apparatus and method for preventing malicious code using an executable file that can prevent the executable files from being changed.
The objects of the present invention are not limited to the above-mentioned objects, and other objects not mentioned can be clearly understood by those skilled in the art from the following description.
In order to achieve the object of the present invention, an apparatus for preventing malicious code using an executable file according to an embodiment of the present invention includes a database storing original DNA values for each executable file stored in an agent system, movement of the executable files, A blocking module for setting a blocking mode for blocking a change or creation, and when an executable file in the agent system is changed in the blocking mode, a blocking module for backing up the original executable file before the change, and for a specific executable file in the agent system When there is an execution request, it is determined whether to execute the specific executable file by comparing the DNA value of the specific executable file with the original DNA value of the specific executable file stored in the database, and wherein the specific executable file is the arbitrary executable file. If the original backup file is restored by running Contains file execution modules.
The malicious code blocking apparatus using the executable file according to an embodiment of the present invention, when there is a request for updating the executable file in the agent system, compares the executable files by comparing the DNA value of each executable file in the agent system with a database. It may include a block release module for determining whether to release the blocking mode by checking the presence or absence of the change.
In the apparatus for blocking malicious code using an executable file according to an embodiment of the present disclosure, the blocking module may set the blocking mode according to a request of a management server connected through a communication network.
In the malicious code blocking apparatus using an executable file according to an embodiment of the present invention, when there is a request to execute the specific executable file in the blocking mode, the malicious code blocking apparatus performs a malicious code scan on the specific executable file, and then the specific scan is completed. It may further include a malicious code inspection module for providing an executable file to the file execution module.
In the malicious code blocking device using the executable file according to an embodiment of the present invention, the malicious code inspection module may generate a notification message based on a malicious code scan result for the specific executable file.
In the malicious code blocking device using an executable file according to an embodiment of the present invention, the notification message may be generated in the form of a log, a notification window, or an e-mail.
In the malicious code blocking apparatus using the executable file according to an embodiment of the present invention, the file execution module blocks execution of the specific executable file when the DNA value of the specific executable file does not match the original DNA value stored in the database. In addition, the test may be requested by transmitting the DNA value of the specific executable file to a management server connected through a communication network.
The malicious code blocking apparatus using an executable file according to an embodiment of the present invention, the agent system in the administrator mode that can move, delete, create or change any executable file in response to the administrator of the agent system in the blocking mode. It may further include an administrator module for setting the.
An apparatus for blocking malicious code using an executable file according to an embodiment of the present invention uses DNA values of the updated executable files as executable files in the agent system are updated after the blocking mode is released by the unblocking module. It may further include an update module for updating the database.
In the malicious code blocking apparatus using an executable file according to an embodiment of the present invention, the blocking module may reset the agent system to the blocking mode when the database is updated.
In another aspect, the malicious code blocking method using an executable file according to an embodiment of the present invention is to calculate the original DNA value for each of the executable files stored in the agent system to store in the database, and when the agent system is driven, Setting a blocking mode for blocking movement, deletion, creation, or change of executable files; and checking whether a malicious code is infected with the specific executable file when there is a request for execution of the specific executable file in the agent system; And calculating a DNA value of the specific executable file when the test is completed, comparing the calculated DNA value with an original DNA value of the specific executable file stored in the database, and blocking the specific executable file if it does not match. It comprises the step of.
In the malicious code blocking method using an executable file according to an embodiment of the present invention, determining whether there is a change request for any executable file in the blocking mode state, and if the change request is received, the arbitrary executable file is changed. Backing up the original arbitrary executable file before the change and changing the arbitrary executable file, and recovering and executing the backed up original executable file if there is a request for execution of the changed arbitrary executable file. It may further include.
Restoring the arbitrary executable file in the malicious code blocking room using the executable file according to an embodiment of the present invention, when there is an execution request for the changed arbitrary executable file, the malicious code for the changed arbitrary executable file Determining the deletion of the modified arbitrary executable file by comparing the DNA value of the modified arbitrary executable file with the DNA value stored in the database; It may include the step of restoring to run.
In the malicious code blocking method using an executable file according to an embodiment of the present invention, the checking whether the malicious code is infected includes checking whether the malicious code is infected with the changed executable file, and as a result of the checking, the modified random file is detected. When the executable file is infected with malicious code, the method may further include generating only a notification message and providing the same to an administrator of the agent system.
The present invention prevents executable files including malicious code from being created or modified by malicious codes by blocking moving, deleting, changing, or creating executable files in the agent system. The effect is to protect the system from code.
In addition, the present invention prevents moving, deleting, changing, or creating an executable file installed in an agent system, and executes the executable file through comparison between the original DNA value stored in the database and the DNA value of the executable file when executing the executable file; By blocking them, you can improve the security of your agent system with fewer resources without updating your antivirus engine or your system.
1 is a block diagram showing a malicious code blocking device and its surrounding configuration for blocking malicious code according to an embodiment of the present invention,
2 is a flowchart illustrating a process of blocking malicious code by an apparatus for blocking malicious code according to an embodiment of the present invention.
The objects and effects of the present invention and the technical configurations for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions of the present invention, and may be changed according to the intentions or customs of the user, the operator, and the like.
The present invention can be embodied as computer-readable codes on a computer-readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CO-ROM, magnetic tape, floppy disks, optical data storage devices, and the like, which may also be implemented in the form of carrier waves (for example, transmission over the Internet). Include. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. The present embodiments are merely provided to complete the disclosure of the present invention and to fully inform the scope of the invention to those skilled in the art, and the present invention is defined by the scope of the claims. It will be. Therefore, the definition should be based on the contents throughout this specification.
In an embodiment of the present invention, blocking the movement, deletion, change, or creation of an executable file installed in an agent system, and when the specific executable file is executed in the blocking mode, the malware is infected with the specific executable file and then scanned. This article describes a malicious code blocking device and method using an executable file that executes or blocks an executable file by comparing the DNA value of a specific executable file with an original DNA value stored in a database.
Hereinafter, with reference to the accompanying drawings will be described an embodiment of the present invention;
1 is a block diagram illustrating a malicious code blocking device and its surrounding configuration for blocking malicious code according to an embodiment of the present invention, the
The agent system is a low specification terminal, and examples thereof include a terminal for managing a factory system, a POS system, a production management system, and the like. The
In the
The
Meanwhile, the
The
The
That is, the
In addition, the
The
That is, the unblocking
The
In other words, the
The
The malicious
In an embodiment of the present invention, when the executable file in the agent system is changed or when there is a request for execution of a specific executable file, the malicious
In general, the agent system is determined to be a normal file instead of a malicious code in the
In the exemplary embodiment of the present invention, the
According to an embodiment of the present invention, by blocking the execution files in the agent system to be moved, deleted, changed or created by using the
A process of blocking the malicious code by operating the malicious
2 is a flowchart illustrating a process of blocking malicious code by an apparatus for blocking malicious code according to an embodiment of the present invention.
As shown in FIG. 2, the malicious
Then, the
Thereafter, the
As a result of the determination of S204, when there is an execution request for a specific executable file, the malicious
On the other hand, the
As a result of the determination of S210, when the calculated DNA value and the original DNA value match, the
As a result of the determination of S214, when the backup file exists, the
On the other hand, when the determination result of S214, if the backup file does not exist, the
On the other hand, the malicious
As a result of the determination of S222, when there is an update request, the unblocking
As described above, as the update is completed (S226), the
As a result of the determination in S230, when there is a request for releasing the blocking mode from the administrator, the
According to an embodiment of the present invention, it is possible to block moving, deleting, changing, or generating an executable file installed in the agent system, and comparing the original DNA value stored in the
The present invention has been described above with reference to specific embodiments of the present invention, but this is only illustrative and does not limit the scope of the present invention. Those skilled in the art can change or modify the described embodiments without departing from the scope of the present invention. Each of the functional blocks or means described in the present specification may be implemented in a program form, and may be implemented separately, or two or more may be integrated into one. Components such as modules described as separate in the specification and claims may be merely functionally distinct and may be physically implemented by one means, and components such as means described as a single element may be divided into several components. It can be made in combination. In addition, each method step described herein may be changed in order without departing from the scope of the present invention, and other steps may be added. In addition, the various embodiments described herein may be implemented independently as well as each other as appropriate. Therefore, the scope of the invention should be defined by the appended claims and their equivalents, rather than by the described embodiments.
100: malware blocking device 102: blocking module
104: file execution module 106: unblocking module
108: manager module 110: update module
112: database 150: management server
Claims (14)
A blocking module for setting a blocking mode for blocking movement, change, or creation of the executable files, and backing up the original executable file before the change when any executable file in the agent system is changed in the blocking mode;
When there is a request for execution of a specific executable file in the agent system, it is determined whether to execute the specific executable file by comparing the DNA value of the specific executable file with the original DNA value of the specific executable file stored in the database. If the executable file is the arbitrary executable file includes a file execution module for recovering and executing the original backup executable file;
Anti-malware device using executable file.
When there is a request for an update of the executable file in the agent system, it is determined whether to release the blocking mode by checking the DNA value of each executable file in the agent system and the database and checking whether there is a change in the executable files. With unblocking module
Anti-malware device using executable file.
The blocking module may set the blocking mode according to a request of a management server connected through a communication network.
Anti-malware device using executable file.
The malicious code blocking device,
In the blocking mode state, if there is a request for execution of the specific executable file further includes a malicious code inspection module that performs only the malicious code scan for the specific executable file and provides the specific executable file to the file execution module complete the scan doing
Anti-malware device using executable file.
The malware inspection module,
Generating a notification message based on a result of a malicious code scan for the specific executable file
Anti-malware device using executable file.
The notification message is generated in the form of a log, a notification window or an e-mail.
Anti-malware device using executable file.
The file execution module,
If the DNA value of the specific executable file and the original DNA value stored in the database do not match, the execution of the specific executable file is blocked and the DNA value of the specific executable file is transmitted to the management server connected through the communication network for inspection. Request
Anti-malware device using executable file.
The malicious code blocking device,
Further comprising a manager module for setting the agent system to the administrator mode that can move, delete, create or change any executable file in response to the manager of the agent system in the blocking mode.
Anti-malware device using executable file.
The malicious code blocking device,
And updating the database by using the DNA values of the updated executable files as the executable files in the agent system are updated after the blocking mode is released by the unblocking module.
Anti-malware device using executable file.
The blocking module resets the agent system to the blocking mode when the database is updated.
Anti-malware device using executable file.
When the agent system is running, setting a blocking mode for blocking movement, deletion, creation, or change of the executable files;
Checking whether the agent system is infected with malicious code when the execution request for a specific executable file is received from the agent system;
Calculating a DNA value of the specific executable file upon completion of the test;
Comparing the calculated DNA value with an original DNA value of the specific executable file stored in the database and blocking the specific executable file if it does not match.
How to block malware using executable files.
The malicious code blocking method,
Determining whether there is a change request for any executable file in the blocking mode;
Changing the arbitrary executable file after backing up the original arbitrary executable file before the arbitrary executable file is changed when the change request is made;
Recovering and executing the backed up original arbitrary executable file when there is a request for executing the changed arbitrary executable file;
How to block malware using executable files.
Restoring and executing the arbitrary executable file,
If there is a request to execute the changed executable file, checking whether the malicious code is infected with the changed executable file;
Determining deletion for the modified arbitrary executable file by comparing the DNA value for the modified arbitrary executable file with the DNA value stored in the database;
Recovering and executing the original backup executable file;
How to block malware using executable files.
The step of checking whether the malicious code is infected,
Checking whether the modified executable file is infected with a malicious code, and generating only a notification message for providing the administrator with the agent system when the modified executable file is infected with a malicious code as a result of the scan; doing
How to block malware using executable files.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20100020016A KR101138746B1 (en) | 2010-03-05 | 2010-03-05 | Apparatus and method for preventing malicious codes using executive files |
CN201180012046XA CN102918541A (en) | 2010-03-05 | 2011-03-03 | Device and method for blocking malicious code using executable files |
PCT/KR2011/001469 WO2011108864A2 (en) | 2010-03-05 | 2011-03-03 | Device and method for blocking malicious code using executable files |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR20100020016A KR101138746B1 (en) | 2010-03-05 | 2010-03-05 | Apparatus and method for preventing malicious codes using executive files |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120009240A Division KR20120039569A (en) | 2012-01-30 | 2012-01-30 | Apparatus for preventing malicious codes using executive files |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20110100924A true KR20110100924A (en) | 2011-09-15 |
KR101138746B1 KR101138746B1 (en) | 2012-04-24 |
Family
ID=44542724
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR20100020016A KR101138746B1 (en) | 2010-03-05 | 2010-03-05 | Apparatus and method for preventing malicious codes using executive files |
Country Status (3)
Country | Link |
---|---|
KR (1) | KR101138746B1 (en) |
CN (1) | CN102918541A (en) |
WO (1) | WO2011108864A2 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105653974B (en) * | 2015-12-23 | 2019-07-23 | 北京奇虎科技有限公司 | A kind of document means of defence and device |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100684986B1 (en) * | 1999-12-31 | 2007-02-22 | 주식회사 잉카인터넷 | Online dangerous information screening system and method |
US20030115458A1 (en) * | 2001-12-19 | 2003-06-19 | Dongho Song | Invisable file technology for recovering or protecting a computer file system |
US8060867B2 (en) * | 2004-05-20 | 2011-11-15 | Computer Associates Think, Inc. | Systems and methods for excluding user specified applications |
KR100690187B1 (en) * | 2005-06-21 | 2007-03-09 | 주식회사 안철수연구소 | Method and apparatus and system for cutting malicious codes |
KR100870140B1 (en) * | 2006-11-13 | 2008-11-24 | 한국전자통신연구원 | Detection Apparatus and Method of Embedded Malicious Code in File |
US20080115219A1 (en) * | 2006-11-13 | 2008-05-15 | Electronics And Telecommunications Research | Apparatus and method of detecting file having embedded malicious code |
KR100918626B1 (en) * | 2007-08-02 | 2009-09-25 | 주식회사 플랜티넷 | Method for verifying application programs and controlling the execution thereof |
KR100942798B1 (en) * | 2007-11-29 | 2010-02-18 | 한국전자통신연구원 | Apparatus and method for detecting a virus code |
KR100968267B1 (en) * | 2008-06-13 | 2010-07-06 | 주식회사 안철수연구소 | Apparatus and method for checking virus program by distinguishing compiler |
CN101359353B (en) * | 2008-09-05 | 2011-05-18 | 成都市华为赛门铁克科技有限公司 | File protection method and device |
-
2010
- 2010-03-05 KR KR20100020016A patent/KR101138746B1/en active IP Right Grant
-
2011
- 2011-03-03 WO PCT/KR2011/001469 patent/WO2011108864A2/en active Application Filing
- 2011-03-03 CN CN201180012046XA patent/CN102918541A/en active Pending
Also Published As
Publication number | Publication date |
---|---|
WO2011108864A3 (en) | 2012-01-12 |
CN102918541A (en) | 2013-02-06 |
WO2011108864A2 (en) | 2011-09-09 |
KR101138746B1 (en) | 2012-04-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8612398B2 (en) | Clean store for operating system and software recovery | |
US7398399B2 (en) | Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network | |
EP3712793B1 (en) | Integrity assurance during runtime | |
US11579985B2 (en) | System and method of preventing malware reoccurrence when restoring a computing device using a backup image | |
US7475427B2 (en) | Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network | |
US11455400B2 (en) | Method, system, and storage medium for security of software components | |
JP6644001B2 (en) | Virus processing method, apparatus, system, device, and computer storage medium | |
US8533818B1 (en) | Profiling backup activity | |
RU2487405C1 (en) | System and method for correcting antivirus records | |
US20130160126A1 (en) | Malware remediation system and method for modern applications | |
US20100262584A1 (en) | Disinfecting a file system | |
US20130067577A1 (en) | Malware scanning | |
US11120147B2 (en) | Operating system garbage-collection with integrated clearing of sensitive data | |
CN109565522B (en) | Detecting bulk operations associated with remotely stored content | |
AU2014207540A1 (en) | Systems and methods for identifying and reporting application and file vulnerabilities | |
JP2010160791A (en) | Context-aware real-time computer protection system and method | |
US10579796B1 (en) | Systems and methods of detecting malicious powershell scripts | |
US11477232B2 (en) | Method and system for antivirus scanning of backup data at a centralized storage | |
US8572730B1 (en) | Systems and methods for revoking digital signatures | |
KR101974989B1 (en) | Method and apparatus for determining behavior information corresponding to a dangerous file | |
JP2016189201A (en) | Inoculator and antibody for computer security | |
KR101138746B1 (en) | Apparatus and method for preventing malicious codes using executive files | |
US10848463B2 (en) | Listen mode for machine whitelisting mechanisms | |
CN104424429A (en) | Document behavior monitoring method and user equipment | |
KR20120039569A (en) | Apparatus for preventing malicious codes using executive files |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
AMND | Amendment | ||
E601 | Decision to refuse application | ||
A107 | Divisional application of patent | ||
AMND | Amendment | ||
X701 | Decision to grant (after re-examination) | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20150416 Year of fee payment: 4 |
|
FPAY | Annual fee payment |
Payment date: 20160418 Year of fee payment: 5 |
|
FPAY | Annual fee payment |
Payment date: 20170417 Year of fee payment: 6 |
|
FPAY | Annual fee payment |
Payment date: 20180416 Year of fee payment: 7 |
|
FPAY | Annual fee payment |
Payment date: 20190416 Year of fee payment: 8 |