TWI796683B - Method of client-side application control - Google Patents

Method of client-side application control Download PDF

Info

Publication number
TWI796683B
TWI796683B TW110115775A TW110115775A TWI796683B TW I796683 B TWI796683 B TW I796683B TW 110115775 A TW110115775 A TW 110115775A TW 110115775 A TW110115775 A TW 110115775A TW I796683 B TWI796683 B TW I796683B
Authority
TW
Taiwan
Prior art keywords
client
executed
list
blacklist
control method
Prior art date
Application number
TW110115775A
Other languages
Chinese (zh)
Other versions
TW202244723A (en
Inventor
賴頌傑
劉雨芊
Original Assignee
精品科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 精品科技股份有限公司 filed Critical 精品科技股份有限公司
Priority to TW110115775A priority Critical patent/TWI796683B/en
Publication of TW202244723A publication Critical patent/TW202244723A/en
Application granted granted Critical
Publication of TWI796683B publication Critical patent/TWI796683B/en

Links

Images

Landscapes

  • Communication Control (AREA)
  • Paper (AREA)
  • Stored Programmes (AREA)

Abstract

A method of client-side application control includes the following steps: using a specified unit to specify a whitelist listing and a blacklist listing, wherein each whitelist can be executed in the client, and each blacklist cannot be executed in the client; providing a graylist that is not specified by the specified unit, where the graylist cannot be executed in the client; in addition, the client can decide whether the graylist will become whitelist in the next execution.

Description

於用戶端執行之應用程式控管方法 Application Control Method Executed on Client Side

本發明涉及一種應用程式控管之技術領域,特別是一種於用戶端執行之應用程式控管方法。 The present invention relates to the technical field of application program control, in particular to an application program control method executed on a client end.

隨著資訊化的發展,出現了大量的應用程式(APP)。同一個廠商可以提供多個應用程式。即使是不同的應用程式,尤其是同一個廠商提供的多個應用程式,可能存在相似的功能。為了適應技術發展或業務需要,常常需要對應用程式進行升級或換代,例如,新版本應用程式的發佈頻率可能大於1次/周。當發佈的新版本應用程式出現了錯誤或者業務出現故障時,需要用戶端的應用程式緊急回到指定版本的應用程式,才能夠滿足用戶的基本使用需求。 With the development of informatization, a large number of application programs (APP) have appeared. Multiple applications can be provided by the same vendor. Even different applications, especially multiple applications provided by the same vendor, may have similar functions. In order to adapt to technological development or business needs, it is often necessary to upgrade or replace the application program. For example, the release frequency of a new version of the application program may be greater than once per week. When an error occurs in the released new version of the application or the business fails, the user-side application needs to return to the specified version of the application in an emergency to meet the basic needs of the user.

現有的應用程式通常會限定可合法使用它的電腦裝置,避免應用程式被複製到其它未經合法授權的電腦裝置上使用。為達到這個目的,目前已有綁定硬體資訊的保護機制。在此機制中,應用程式一旦被啟動就會先讀取並驗證安裝它的電腦裝置中的硬體資訊,例如中央處理器編碼、硬碟序號等等,並只在驗證通過時才允許該電腦裝置正常執行它。這種機制雖可將應用程 式與可正常執行它的合法電腦裝置綁定在一起,但因硬體資訊缺乏動態變化,故容易遭到破解。 Existing application programs usually limit the computer devices that can legally use it to prevent the application program from being copied to other computer devices that are not legally authorized. To achieve this goal, there is currently a protection mechanism for binding hardware information. In this mechanism, once the application is started, it will first read and verify the hardware information in the computer device where it is installed, such as the CPU code, hard disk serial number, etc., and only allow the computer to The device executes it normally. Although this mechanism can apply the The formula is bound to a legitimate computer device that can execute it normally, but because the hardware information lacks dynamic changes, it is easy to be cracked.

此外,在網際網路普及的情形之下,在企業內通常都會建構與網際網路的連接,以取得各式各樣的應用程式。然而,從網際網路擷取的各種資訊或應用程式,可能也會有接收到惡意程式的情形發生。一旦惡意程式進入到資訊處理裝置,將會破壞其中的軟體或者是盜取其中的資訊,對於企業內的資訊安全造成莫大的傷害。 In addition, with the popularity of the Internet, connections to the Internet are usually established in enterprises to obtain various applications. However, various information or application programs retrieved from the Internet may also receive malicious programs. Once the malicious program enters the information processing device, it will destroy the software or steal the information therein, causing great harm to the information security in the enterprise.

另一方面,對於企業而言,在享受網際網路便利性的同時也應盡可能地將這些可能存在的惡意程式的威脅排除。關連於應用程式所實行的限制,傳統上係使用黑名單的控管方式來實施。因為全球的程式太多,因此以黑名單的控管方式已不符使用。 On the other hand, for enterprises, while enjoying the convenience of the Internet, they should also eliminate the threat of these possible malicious programs as much as possible. Restrictions related to the implementation of applications have traditionally been implemented using blacklist controls. Because there are too many programs in the world, the blacklist control method is no longer suitable for use.

近來駭客常使用本機上原有的程式,做為攻擊的程式,而不是使用駭客自己寫的程式。這樣會造成一個問題,例如Windows上內建的程式是常會被使用者使用的程式,但也是駭客最愛用的程式;如此,這些內建的程式是否可以設為應用程式控管,也是一大問題所在。 Recently, hackers often use the original programs on the machine as attack programs instead of using programs written by hackers themselves. This will cause a problem. For example, the built-in programs on Windows are programs that are often used by users, but they are also favorite programs for hackers; so, whether these built-in programs can be set as application control is also a big problem problem lies in.

再者,應用程式控管有強大的防護力,但是企業內的使用者常會因為底下三種情況:(1)Windows Update;(2)使用者自己安裝已知且安全的新程式(例如:AutoCAD);(3)每天更新的程式(例如:Teams、Chrome常會背景更 新),而造成無法執行程式的窘境。此不但會影響企業員工的工作效率,也會增加資訊技術(IT:Information Technology)人員的工作量。 Furthermore, application control has strong protection, but users in the enterprise often fail because of the following three situations: (1) Windows Update; (2) users themselves install known and safe new programs (such as: AutoCAD) ;(3) Programs that are updated every day (for example: Teams, Chrome often update the background New), resulting in the dilemma of not being able to execute the program. This will not only affect the work efficiency of enterprise employees, but also increase the workload of information technology (IT: Information Technology) personnel.

針對上述缺點,為了減輕IT人員的負擔,本發明提供一新穎的應用程式控管方法,以解決上述缺點。 In view of the above shortcomings, in order to reduce the burden of IT personnel, the present invention provides a novel application program control method to solve the above shortcomings.

本發明之目的在於提供一種於用戶端執行之應用程式控管方法。 The purpose of the present invention is to provide an application program control method executed on a client terminal.

本發明的於用戶端執行之應用程式控管方法可以大大地減輕IT端人員的負擔,並且提高企業員工的工作效率。 The application program control method executed on the client side of the present invention can greatly reduce the burden on IT-side personnel and improve the work efficiency of enterprise employees.

本發明之於用戶端執行之應用程式控管方法,包括:利用一指定單元以指定白名單清單與黑名單清單,其中每一白名單可於用戶端中執行,每一黑名單不可於用戶端中執行;提供未經由該指定單元以指定之灰名單,其中該灰名單不可於用戶端中執行;以及,基於用戶端以自行決定禁止執行的灰名單是否於下一次執行時變成白名單。 The application program control method executed on the client terminal of the present invention includes: using a specifying unit to specify a whitelist list and a blacklist list, wherein each whitelist can be executed on the client terminal, and each blacklist cannot be executed on the client terminal execution; provide a gray list that has not been specified by the specifying unit, wherein the gray list cannot be executed in the user terminal; and, based on the user terminal, decide whether to prohibit the execution of the gray list to become a white list in the next execution.

其中灰名單與每一黑名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The greylist and each blacklist upload record to a folder or a storage path.

本發明之於用戶端執行之應用程式控管方法,包括:利用一指定單元以指定白名單清單與黑名單清單,其中每一白名單可於第一用戶端中執行,每一黑名單不可於第一用戶端中執行;提供未經由該指定單元以指定之灰名單,其中該灰名單不可於第一用戶端中執行;以及,基於第二用戶端以自行決定禁止執行的灰名單是否於下一次執行時變成白名單。 The application program control method executed on the client terminal of the present invention includes: using a specifying unit to specify a whitelist list and a blacklist list, wherein each whitelist can be executed in the first client terminal, and each blacklist cannot be executed in the first client terminal. Execute in the first client; provide a gray list that has not been specified by the specifying unit, wherein the gray list cannot be executed in the first client; and, based on the second client, decide whether to prohibit the execution of the gray list in the following Becomes a whitelist when executed once.

本發明之於用戶端執行之應用程式控管方法,包括:利用一指定單元以指定白名單清單與黑名單清單,其中每一白名單可於用戶端中執行,每一黑名單不可於用戶端中執行;提供未經由該指定單元以指定之灰名單,其中該灰名單不可於用戶端中執行;以及,在伺服器端的允許之下,基於該用戶端掃描應用程式,以讓禁止執行的灰名單變成白名單。 The application program control method executed on the client terminal of the present invention includes: using a specifying unit to specify a whitelist list and a blacklist list, wherein each whitelist can be executed on the client terminal, and each blacklist cannot be executed on the client terminal execute in the specified unit; provide a gray list that is not specified by the specified unit, wherein the gray list cannot be executed in the client; and, with the permission of the server, scan the application based on the client to allow the prohibited gray list The list becomes a whitelist.

本發明之於用戶端執行之應用程式控管方法,包括:利用一指定單元以指定白名單清單與黑名單清單,其中每一白名單可於用戶端中執行,每一黑名單不可於用戶端中執行;提供未經由指定單元以指定之灰名單,其中該灰名單不可於用戶端中執行;以及,在伺服器端的允許之下,該用戶端關閉目前的應用程式控管,以讓禁止執行的灰名單與黑名單清單可於該用戶端中執行。 The application program control method executed on the client terminal of the present invention includes: using a specifying unit to specify a whitelist list and a blacklist list, wherein each whitelist can be executed on the client terminal, and each blacklist cannot be executed on the client terminal implementation; provide a gray list that is not specified by the specified unit, wherein the gray list cannot be executed in the client; and, with the permission of the server, the client closes the current application control so that execution is prohibited The greylist and blacklist list can be implemented in the client.

上述方法更包含於用戶端安裝一套裝軟體,於用戶端重新掃描所有的應用程式,以及於啟動應用程式控管方式之後定義新的應用程式控管。 The above method further includes installing a set of software on the client end, re-scanning all the application programs on the client end, and defining a new application program control mode after starting the application program control mode.

102:用戶端 102: client

104:指定單元 104: Specified unit

106:Word白名單 106:Word white list

108:Excel黑名單 108:Excel blacklist

110:AutoCAD灰名單 110:AutoCAD Greylist

112:用戶端員工 112: Client staff

114:AutoCAD白名單 114: AutoCAD white list

120:第二用戶端主管 120:Second client supervisor

140:用戶端員工 140: Client staff

150:應用程式 150: Apps

202,204,206,208,210:步驟 202, 204, 206, 208, 210: steps

[第一圖]顯示本發明之第一實施例,於用戶端執行之應用程式控管方法之示意圖。 [The first figure] shows the first embodiment of the present invention, a schematic diagram of the application program control method executed on the client side.

[第二圖]顯示本發明之第二實施例,於用戶端執行之應用程式控管方法之示意圖。 [The second figure] shows the second embodiment of the present invention, a schematic diagram of the application program control method executed on the client side.

[第三圖]顯示本發明之第三實施例,於用戶端執行之應用程式控管方法之示意圖。 [The third figure] shows the third embodiment of the present invention, a schematic diagram of the application program control method executed on the client side.

[第四圖]顯示本發明之第四實施例,於用戶端執行之應用程式控管方法之示意圖。 [Fourth Figure] Shows the fourth embodiment of the present invention, a schematic diagram of an application program control method executed on a client terminal.

[第五圖]顯示本發明之用戶端員工定義新的應用程式控管之流程。 [FIG.5] shows the process of defining new application program control by the client staff of the present invention.

此處本發明將針對發明具體實施例及其觀點加以詳細描述,此類描述為解釋本發明之結構或步驟流程,其係供以說明之用而非用以限制本發明之申請專利範圍。因此,除說明書中之具體實施例與較佳實施例外,本發明亦可廣泛施行於其他不同的實施例中。以下藉由特定的具體實施例說明本發明之實施方式,熟悉此技術之人士可藉由本說明書所揭示之內容輕易地瞭解本發 明之功效性與其優點。且本發明亦可藉由其他具體實施例加以運用及實施,本說明書所闡述之各項細節亦可基於不同需求而應用,且在不悖離本發明之精神下進行各種不同的修飾或變更。 Herein, the present invention will be described in detail with respect to specific embodiments of the invention and its viewpoints. Such descriptions are for explaining the structure or step flow of the present invention, which are for the purpose of illustration rather than limiting the patent scope of the present invention. Therefore, except for the specific embodiments and preferred embodiments in the description, the present invention can also be widely implemented in other different embodiments. The implementation of the present invention is described below through specific specific examples, and those who are familiar with this technology can easily understand the present invention through the contents disclosed in this specification. Ming's efficacy and its advantages. Moreover, the present invention can also be used and implemented through other specific embodiments, and various details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention.

本發明提出一種於用戶端執行之應用程式控管方法。其中係以白名單做為控管方案,以取代傳統的黑名單控管方式。在實際上的操作上而言,應用程式控管的白名單、黑名單、灰名單可以根據底下步驟而定義,首先,用戶端(個人電腦、平板電腦、或各種計算機裝置)安裝一系列列的檔案、程式或軟體,例如Word、Excel、AutoCAD;然後,透過一指定單元以指定某類、某種檔案、程式或軟體為白名單、黑名單,例如指定、定義Word為白名單,Excel為黑名單,而未指定或定義之AutoCAD,因為不是白名單也不是黑名單,自動變成灰名單。其中Word白名單可以在本機中執行,Excel黑名單不可以在本機中執行,但可上傳紀錄至某一資料夾或某一儲存路徑之中。除非使用者允許,否則AutoCAD灰名單亦不可以在本機中執行,但可上傳紀錄至某一資料夾或某一儲存路徑之中。在本發明之中,新下載或安裝的應用程式未成為白名單而無法執行時,不用麻煩IT端,而是使用用戶端員工或主管來裁決該應用程式是否變為白名單而可執行。 The present invention proposes an application control method executed on a client terminal. Among them, the white list is used as the control scheme to replace the traditional black list control method. In terms of actual operation, the white list, black list, and gray list controlled by the application program can be defined according to the following steps. First, the client (personal computer, tablet computer, or various computer devices) installs a series of Files, programs or software, such as Word, Excel, AutoCAD; then, through a specified unit, specify a certain type, a certain file, program or software as a whitelist or blacklist, such as specifying and defining Word as a whitelist and Excel as a blacklist List, but AutoCAD that is not specified or defined, because it is neither a white list nor a black list, it will automatically become a gray list. Among them, the Word whitelist can be executed in the local machine, and the Excel blacklist cannot be executed in the local machine, but the records can be uploaded to a certain folder or a certain storage path. Unless the user permits, AutoCAD gray list cannot be executed in the local machine, but the record can be uploaded to a folder or a storage path. In the present invention, when a newly downloaded or installed application program is not whitelisted and cannot be executed, it is not necessary to bother the IT side, but the user's staff or supervisor is used to determine whether the application program becomes whitelisted and executable.

本發明提供三種方法,可以將灰名單變成白名單,如下所述:(A)使用者裁決新的白名單;(B)重新掃描白名單;(C)關閉/開啟應用程式控管。舉例而言,遇到單一灰名單,包含二種情況,(1.1)永久將此單一灰名單變成白名單:可以採用上述(A)方法或(B)方法;(1.2)暫時性執行此單一灰名單:可採 以用(C)方法(關閉/開啟應用程式控管)。在另一例子中,若遇到複數個灰名單(例如:安裝Microsoft Office,其中有數百個新的程式都是灰名單),也包含二種情況,(2.1)永久將複數個灰名單變成白名單:可以採用(C)方法(關閉應用程式控管)、(B)方法、(C)方法(開啟應用程式控管);(2.2)暫時性執行此複數個灰名單:可採用(C)方法(關閉應用程式控管)。底下將詳細敘述本發明之於用戶端執行之應用程式控管方法,可以達到上述所提供之三種方法的結果。 The present invention provides three methods to change the gray list into a white list, as follows: (A) the user decides a new white list; (B) re-scans the white list; (C) closes/opens the application control. For example, when encountering a single gray list, there are two situations, (1.1) permanently turn this single gray list into a white list: the above method (A) or (B) can be used; (1.2) temporarily implement this single gray list list: available To use (C) method (disable/enable application control). In another example, if there are multiple gray lists (for example: installing Microsoft Office, hundreds of new programs are gray lists), there are also two cases, (2.1) permanently change the multiple gray lists to White list: You can use (C) method (close application control), (B) method, (C) method (open application control); (2.2) temporarily execute this multiple gray list: you can use (C ) method (Close Application Control). The following will describe in detail the application program control method executed on the client end of the present invention, which can achieve the results of the three methods provided above.

第一圖描繪了本發明之第一實施例,於用戶端執行之應用程式控管方法之示意圖。通常只有使用者才瞭解,因自身工作關係而必須安裝或臨時安裝那些程式或軟體。資訊技術(IT)人員不見得會了解每一位企業內每一位員工的工作需要所需安裝的程式或軟體。並且,通常企業內部的員工人數眾多,因此決定灰名單變成白名單的工作量可能會佔去許多時間。因此,在本實施例之中,使用用戶端員工裁決的方案,來減輕IT端的負擔。如第一圖所示,首先,提供用戶端102(個人電腦、平板電腦、或各種計算機裝置),透過IT端的一指定單元104以指定或定義Word為白名單、Excel為黑名單,分別標示為Word白名單106以及Excel黑名單108。而未經由指定單元104指定或定義之AutoCAD,因為不是白名單也不是黑名單,自動變成灰名單,標示為AutoCAD灰名單110。舉一實施例而言,在經過控制台掃描之後的檔案,存在於用戶端102中的Word均被標示為Word白名單106,而Excel則被標示為Excel黑名單108。其中Word白名單106可以在用戶端102本機中執行。Excel黑名單108不可以在用戶端102本機中執行,但可上傳阻擋紀錄至IT端的某一資料夾或某一儲存路徑之中。另外,AutoCAD灰名單110亦不可以在用戶端102本機中執行,但 可上傳阻擋紀錄至IT端的某一資料夾或某一儲存路徑之中。亦即,AutoCAD灰名單110是於本次阻擋執行。然後,對於AutoCAD灰名單110而言,基於用戶端員工112自行裁決的方案,用戶端員工112可以自行決定本次阻擋執行的AutoCAD灰名單110是否於下一次執行時,變成AutoCAD白名單114。因此,在本實施例之中,基於信任企業底下的員工,而讓員工可以自行裁決AutoCAD灰名單是否變成AutoCAD白名單,來減輕IT端的負擔。本實施例可以永久將單一灰名單變成白名單。 The first figure depicts the first embodiment of the present invention, a schematic diagram of an application control method executed on a client terminal. Usually only the user knows which programs or software must be installed or temporarily installed due to their own work. Information technology (IT) personnel may not necessarily understand the work needs of every employee in every enterprise and the programs or software that need to be installed. Also, there are usually a large number of employees in the enterprise, so the workload of deciding whether to change the gray list to the white list can take up a lot of time. Therefore, in this embodiment, the solution of employee arbitration at the user end is used to reduce the burden on the IT end. As shown in the first figure, firstly, a client terminal 102 (personal computer, tablet computer, or various computer devices) is provided, and a specifying unit 104 at the IT terminal is used to specify or define Word as a whitelist and Excel as a blacklist, respectively marked as Word whitelist 106 and Excel blacklist 108. The AutoCAD not specified or defined by the specifying unit 104 is automatically turned into a gray list and marked as the AutoCAD gray list 110 because it is neither a white list nor a black list. As an example, after the files are scanned by the console, Word existing in the client 102 is marked as the Word whitelist 106 , and Excel is marked as the Excel blacklist 108 . The Word whitelist 106 can be executed in the client 102 locally. The Excel blacklist 108 cannot be executed locally in the client 102, but the blocking record can be uploaded to a folder or a storage path on the IT side. In addition, the AutoCAD gray list 110 cannot be executed in the client 102 locally, but Blocking records can be uploaded to a folder or a storage path on the IT side. That is to say, the AutoCAD gray list 110 is for blocking execution this time. Then, for the AutoCAD gray list 110 , based on the solution that the user-side staff 112 decides on their own, the user-side staff 112 can decide whether the AutoCAD gray list 110 that blocks execution this time will become the AutoCAD white list 114 in the next execution. Therefore, in this embodiment, based on trusting the employees of the enterprise, the employees can decide whether the AutoCAD gray list becomes the AutoCAD white list, so as to reduce the burden on the IT side. This embodiment can permanently change a single gray list into a white list.

由上述可知,若IT端賦于員工權限,員工就可以將灰名單自行轉成白名單;當然,這個新的白名單只對這個員工有效;如此,就不用每次有新程式都要麻煩IT端去設定白名單。 It can be seen from the above that if the IT end grants the employee permission, the employee can convert the gray list to the white list; of course, this new white list is only valid for this employee; in this way, there is no need to bother IT every time there is a new program End to set the white list.

參考第二圖,其顯示本發明之第二實施例,於用戶端執行之應用程式控管方法之示意圖。在本實施例之中,使用主管裁決的方案,來減輕IT端的負擔。若無法相信員工,或者不希望員工自行決定的情況,可以使用主管裁決的方案。如第二圖所示,其中與第一圖不同之處在於決定白名單的一方為用戶端主管120。亦即,第二用戶端主管120裁決AutoCAD灰名單110是於本次禁止(阻擋)執行。然後,對於AutoCAD灰名單110而言,基於第二用戶端主管120裁決的方案,第二用戶端主管120可以決定本次阻擋執行的AutoCAD灰名單110是否於下一次執行時,變成AutoCAD白名單114。因此,在本實施例之中,不讓第一用戶端員工112有AutoCAD灰名單變成AutoCAD白名單之決定權,而 是基於第二用戶端主管120以裁決AutoCAD灰名單是否變成AutoCAD白名單,來減輕IT端的負擔。本實施例可以永久將單一灰名單變成白名單。 Referring to the second figure, it shows a schematic diagram of an application program control method executed on the client terminal according to the second embodiment of the present invention. In this embodiment, the solution of supervisory arbitration is used to reduce the burden on the IT side. In situations where the employee cannot be trusted, or if the employee's own decision is not desired, a supervisory adjudication option may be used. As shown in the second figure, the difference from the first figure is that the party responsible for determining the whitelist is the client administrator 120 . That is, the second client supervisor 120 decides that the AutoCAD gray list 110 is prohibited (blocked) from executing this time. Then, for the AutoCAD gray list 110, based on the solution determined by the second client supervisor 120, the second client supervisor 120 can determine whether the AutoCAD gray list 110 that blocks execution this time will become the AutoCAD white list 114 during the next execution. . Therefore, in the present embodiment, do not let the first user end employee 112 have the right to decide that the AutoCAD gray list becomes the AutoCAD white list, but It is based on the second client supervisor 120 to decide whether the AutoCAD gray list becomes the AutoCAD white list, so as to reduce the burden on the IT side. This embodiment can permanently change a single gray list into a white list.

舉一實施例而言,上面二個方案,不管基於第二用戶端主管120以裁決或者基於第一用戶端員工112以裁決,一次只能讓單一灰名單程式轉變成白名單。然而,因為不須經過IT端來處理,所以可以減輕IT端的負擔。 As an example, in the above two solutions, no matter based on the decision of the second client manager 120 or the decision of the first client employee 112, only a single graylist program can be converted into a whitelist at a time. However, since it does not need to be processed by the IT side, the burden on the IT side can be reduced.

第三圖顯示本發明之第三實施例,於用戶端執行之應用程式控管方法之示意圖。本實施例之中,在伺服器端(IT端)的允許之下,可以讓用戶端員工112自行啟動重新掃描應用程式,來減輕伺服器端(IT端)的負擔。伺服器端(IT端)開放掃描應用程式之功能給特定的用戶端。舉例而言,服器端(IT端)可以授權給某些用戶端員工112,使被授權的用戶端具有掃描應用程式之功能,因此可以自行啟動重新掃描應用程式。亦即,在IT端所允許的用戶端員工112重新掃描應用程式之後,會讓本次阻擋執行的AutoCAD灰名單110變成AutoCAD白名單114。因此,所有的用戶端102之中的應用程式(Word、Excel、AutoCAD)全部變成白名單。當然,本實施例也可以永久將單一灰名單變成白名單。 The third figure shows the third embodiment of the present invention, a schematic diagram of an application program control method executed on the client terminal. In this embodiment, with the permission of the server (IT), the client staff 112 can activate the rescanning application by itself, so as to reduce the burden on the server (IT). The server side (IT side) opens the function of the scanning application to a specific client side. For example, the server end (IT end) can authorize some client employees 112 to enable the authorized client to have the function of scanning the application, so that the rescan application can be started by itself. That is, after the user-side employee 112 allowed by the IT side re-scans the application program, the AutoCAD greylist 110 that is currently blocked from executing will be changed into the AutoCAD whitelist 114 . Therefore, all the application programs (Word, Excel, AutoCAD) in the client terminal 102 are all whitelisted. Of course, this embodiment can also permanently change the single gray list into a white list.

參考第四圖,其顯示本發明之第四實施例,於用戶端執行之應用程式控管方法之示意圖。本實施例之中,在伺服器端(IT端)的允許之下,可以讓用戶端員工140關閉應用程式控管,來減輕伺服器端(IT端)的負擔。伺服器端(IT端)開放關閉應用程式控管之功能給特定的用戶端。舉例而言,伺服器端 (IT端)可以授權給某些用戶端員工140,使被授權的用戶端具有關閉應用程式控管之功能,因此使其可以先關閉目前的應用程式控管,之後再定義新的應用程式控管。如第四圖所示,被授權的用戶端員工140可以關閉當前的應用程式控管。關閉應用程式控管之後,應用程式150包含紀錄為黑名單的Excel與灰名單的AutoCAD全部可以使用,於本機中執行。關閉/開啟應用程式控管可以暫時性執行單一灰名單。關閉應用程式控管可以暫時性執行複數個灰名單。 Referring to FIG. 4 , it shows a schematic diagram of a method for controlling an application program executed on a client terminal according to a fourth embodiment of the present invention. In this embodiment, with the permission of the server side (IT side), the client staff 140 can close the application program control to reduce the burden on the server side (IT side). The server side (IT side) opens and closes the function of application program control to a specific client side. For example, server-side (IT side) can authorize certain user-side employees 140 to enable the authorized user-side to have the function of closing the application program control, so that it can first close the current application program control, and then define a new application program control Tube. As shown in the fourth figure, the authorized client staff 140 can close the current application control. After closing the application program control, the application program 150 including the Excel recorded in the blacklist and the AutoCAD recorded in the gray list can all be used and executed in the local machine. Turn off/on application control to temporarily enforce single greylisting. Turning off application controls can temporarily enforce multiple greylists.

如第五圖所示,其顯示上述用戶端員工140定義新的應用程式控管之流程。首先,於步驟202之中,用戶端員工關閉應用程式控管。舉例而言,用戶端員工可以於被伺服器端(IT端)授權之後,啟動一關閉單元將執行中的應用程式控管在電腦執行程序中進行關閉動作。關閉單元係資訊連結應用程式控管單元。然後,於步驟204之中,於用戶端安裝一套裝軟體。舉例而言,套裝軟體包含但不限定於Microsoft Office(例如包含Word、Excel和PowerPoint)、AutoCad、Line...等軟體。接下來,於步驟206之中,於用戶端電腦重新掃描本機中所有的應用程式。之後,於步驟208之中,啟動應用程式控管方式。於步驟210之中,於啟動應用程式控管方式之後,定義新的應用程式控管。此新的應用程式控管可以執行本機中所有的應用程式,亦即,經定義之後,本機中所有的應用程式均為可執行之白名單。本實施例可以永久將複數個灰名單變成白名單。 As shown in FIG. 5 , it shows the flow of the above-mentioned client worker 140 defining a new application program control. First, in step 202, the client staff closes the application control. For example, after being authorized by the server side (IT side), the employee at the client side can activate a shutdown unit to control the running application program to execute the shutdown action in the execution program of the computer. The closing unit is an information link application program control unit. Then, in step 204, a software package is installed on the user terminal. For example, packaged software includes, but is not limited to, Microsoft Office (such as including Word, Excel, and PowerPoint), AutoCad, Line... and other software. Next, in step 206, re-scan all the application programs in the client computer. Afterwards, in step 208, the application control method is activated. In step 210, after the application control method is activated, a new application control is defined. This new application control can execute all the applications in the machine, that is, after being defined, all the applications in the machine are whitelisted for execution. This embodiment can permanently change multiple gray lists into white lists.

相較於習知的黑名單控管方式,本發明提出於用戶端執行之應用程式控管方法。上述4種方案均為針對已知且安全的新的程式,讓用戶端員 工或用戶端主管可以自行更新應用程式控管清單,進而減輕IT端的負擔,對於資訊安全的檢測效率大大地得到提升。 Compared with the conventional blacklist control method, the present invention proposes an application program control method executed on the client end. The above four solutions are all for known and safe new programs, allowing users to Workers or user-side supervisors can update the application control list by themselves, thereby reducing the burden on the IT side, and greatly improving the detection efficiency of information security.

在不脫離本文範疇之情況下,可對上述於用戶端執行之應用程式控管方法做出改變。因此,應當注意,包含在以上描述中並且在附圖中示出之內容應當被解釋為說明性的而非限制性之意義。以下申請專利範圍旨在涵蓋本文中所描述之所有一般特徵及特定特徵,以及本發明於用戶端執行之應用程式控管方法之範疇的所有陳述,其在語言上可被說成落在其間。 Changes may be made to the above-described method of managing applications executed on the client side without departing from the scope of this document. It is therefore to be noted that all matter contained in the above description and shown in the accompanying drawings shall be interpreted in an illustrative rather than a restrictive sense. The following claims are intended to cover all general and specific features described herein, as well as all statements of the scope of the present invention's client-executed application control method, which language may be said to fall therebetween.

102:用戶端 102: client

104:指定單元 104: Specified unit

106:Word白名單 106:Word white list

108:Excel黑名單 108:Excel blacklist

110:AutoCAD灰名單 110:AutoCAD Greylist

112:用戶端員工 112: Client staff

114:AutoCAD白名單 114: AutoCAD white list

Claims (10)

一種於用戶端執行之應用程式控管方法,包括:利用伺服器端之一指定單元以指定已安裝於該用戶端中的第一類檔案、程式或軟體為白名單與已安裝於該用戶端中的第二類檔案、程式或軟體為黑名單,其中每一白名單可於該用戶端中執行,每一黑名單不可於該用戶端中執行;提供未經由該伺服器端之該指定單元以指定之灰名單,其中該灰名單為已安裝於該用戶端中的第三類檔案、程式或軟體,該灰名單不可於該用戶端中執行;以及基於該用戶端以自行決定禁止執行的該灰名單是否於下一次執行時變成白名單。 A control method for application programs executed on a client end, comprising: using a designated unit on a server end to designate a first type of file, program or software already installed in the client end as a white list and installed on the client end The second type of file, program or software in the system is a blacklist, wherein each whitelist can be executed in the client, and each blacklist cannot be executed in the client; providing the specified unit without passing the server To specify the gray list, where the gray list is the third type of file, program or software installed in the client, the gray list cannot be executed in the client; and based on the client to decide to prohibit execution Whether the gray list will become white list in the next execution. 如請求項1所述的於用戶端執行之應用程式控管方法,其中該每一黑名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The application program control method executed on the client side as described in claim 1, wherein each blacklist is uploaded to a certain folder or a certain storage path. 如請求項1所述的於用戶端執行之應用程式控管方法,其中該灰名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The application program control method executed on the client end as described in claim 1, wherein the gray list is uploaded to a certain folder or a certain storage path. 一種於用戶端執行之應用程式控管方法,包括:利用伺服器端之一指定單元以指定已安裝於該用戶端中的第一類檔案、程式或軟體為白名單與已安裝於該用戶端中的第二類檔案、程式或軟體為黑名單,其中每一白名單可於第一用戶端中執行,每一黑名單不可於該第一用戶端中執行; 提供未經由該伺服器端之該指定單元以指定之灰名單,其中該灰名單為已安裝於該用戶端中的第三類檔案、程式或軟體,該灰名單不可於該第一用戶端中執行;以及基於第二用戶端以自行決定禁止執行的該灰名單是否於下一次執行時變成白名單。 A control method for application programs executed on a client end, comprising: using a designated unit on a server end to designate a first type of file, program or software already installed in the client end as a white list and installed on the client end The second type of file, program or software in is a blacklist, wherein each whitelist is executable in the first client, and each blacklist is not executable in the first client; Provide a gray list that has not been specified by the specified unit on the server, where the gray list is a third-type file, program or software that has been installed in the client, and the gray list cannot be used in the first client Execution; and whether the gray list that is forbidden to execute based on the second user terminal's own decision will become the white list in the next execution. 如請求項4所述的於用戶端執行之應用程式控管方法,其中該灰名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The application program control method executed on the client side as described in claim item 4, wherein the greylist is uploaded to a certain folder or a certain storage path. 如請求項4所述的於用戶端執行之應用程式控管方法,其中該每一黑名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The application program control method executed on the client side as described in claim 4, wherein each blacklist is uploaded to a certain folder or a certain storage path. 一種於用戶端執行之應用程式控管方法,包括:利用伺服器端之一指定單元以指定已安裝於該用戶端中的第一類檔案、程式或軟體為白名單與已安裝於該用戶端中的第二類檔案、程式或軟體為黑名單,其中每一白名單可於該用戶端中執行,每一黑名單不可於該用戶端中執行;提供未經由該伺服器端之該指定單元以指定之灰名單,其中該灰名單為已安裝於該用戶端中的第三類檔案、程式或軟體,該灰名單不可於該用戶端中執行;以及在該伺服器端的允許之下,基於該用戶端掃描應用程式,以讓禁止執行的該灰名單變成白名單。 A control method for application programs executed on a client end, comprising: using a designated unit on a server end to designate a first type of file, program or software already installed in the client end as a white list and installed on the client end The second type of file, program or software in the system is a blacklist, wherein each whitelist can be executed in the client, and each blacklist cannot be executed in the client; providing the specified unit without passing the server With the specified gray list, where the gray list is a third-class file, program or software installed in the client, the gray list cannot be executed in the client; and with the permission of the server, based on The client scans applications to turn the gray list into a white list of forbidden executions. 如請求項7所述的於用戶端執行之應用程式控管方法,其中該灰名單與該每一黑名單上傳紀錄至某一資料夾或某一儲存路徑之中。 The application program control method executed on the client side as described in claim item 7, wherein the gray list and each black list upload record to a certain folder or a certain storage path. 一種於用戶端執行之應用程式控管方法,包括:利用伺服器端之一指定單元以指定已安裝於該用戶端中的第一類檔案、程式或軟體為白名單與已安裝於該用戶端中的第二類檔案、程式或軟體為黑名單,其中每一白名單可於該用戶端中執行,每一黑名單不可於該用戶端中執行;提供未經由該伺服器端之該指定單元以指定之灰名單,其中該灰名單為已安裝於該用戶端中的第三類檔案、程式或軟體,該灰名單不可於該用戶端中執行;以及在該伺服器端的允許之下,該用戶端關閉目前的應用程式控管,以讓禁止執行的該灰名單與該黑名單清單可於該用戶端中執行。 A control method for application programs executed on a client end, comprising: using a designated unit on a server end to designate a first type of file, program or software already installed in the client end as a white list and installed on the client end The second type of file, program or software in the system is a blacklist, wherein each whitelist can be executed in the client, and each blacklist cannot be executed in the client; providing the specified unit without passing the server To specify the gray list, where the gray list is the third type of file, program or software installed in the client, the gray list cannot be executed in the client; and with the permission of the server, the The client end closes the current application program control, so that the greylist and the blacklist that are forbidden to be executed can be executed in the client end. 如請求項9所述的於用戶端執行之應用程式控管方法,更包含於該用戶端安裝一套裝軟體,於該用戶端重新掃描所有的應用程式,以及於啟動應用程式控管方式之後定義新的應用程式控管。 The application program control method executed on the client terminal as described in request item 9 further includes installing a software package on the client terminal, re-scanning all application programs on the client terminal, and defining the application program control method after starting New app controls.
TW110115775A 2021-04-30 2021-04-30 Method of client-side application control TWI796683B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW110115775A TWI796683B (en) 2021-04-30 2021-04-30 Method of client-side application control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW110115775A TWI796683B (en) 2021-04-30 2021-04-30 Method of client-side application control

Publications (2)

Publication Number Publication Date
TW202244723A TW202244723A (en) 2022-11-16
TWI796683B true TWI796683B (en) 2023-03-21

Family

ID=85793026

Family Applications (1)

Application Number Title Priority Date Filing Date
TW110115775A TWI796683B (en) 2021-04-30 2021-04-30 Method of client-side application control

Country Status (1)

Country Link
TW (1) TWI796683B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8656465B1 (en) * 2011-05-09 2014-02-18 Google Inc. Userspace permissions service
CN103607381A (en) * 2010-08-18 2014-02-26 北京奇虎科技有限公司 White list generation method, malicious program detection method, client and server
US20140090077A1 (en) * 2012-09-25 2014-03-27 Samsung Electronics Co., Ltd Method and apparatus for application management in user device
US8856322B2 (en) * 2008-12-19 2014-10-07 Openpeak Inc. Supervisory portal systems and methods of operation of same
US20160378994A1 (en) * 2013-02-25 2016-12-29 Beyondtrust Software, Inc. Systems and methods of risk based rules for application control
EP3761194A1 (en) * 2014-10-31 2021-01-06 Proofpoint, Inc. Systems and methods for privately performing application security analysis

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8856322B2 (en) * 2008-12-19 2014-10-07 Openpeak Inc. Supervisory portal systems and methods of operation of same
CN103607381A (en) * 2010-08-18 2014-02-26 北京奇虎科技有限公司 White list generation method, malicious program detection method, client and server
US8656465B1 (en) * 2011-05-09 2014-02-18 Google Inc. Userspace permissions service
US20140090077A1 (en) * 2012-09-25 2014-03-27 Samsung Electronics Co., Ltd Method and apparatus for application management in user device
US20160378994A1 (en) * 2013-02-25 2016-12-29 Beyondtrust Software, Inc. Systems and methods of risk based rules for application control
EP3761194A1 (en) * 2014-10-31 2021-01-06 Proofpoint, Inc. Systems and methods for privately performing application security analysis

Also Published As

Publication number Publication date
TW202244723A (en) 2022-11-16

Similar Documents

Publication Publication Date Title
US9665708B2 (en) Secure system for allowing the execution of authorized computer program code
US7555645B2 (en) Reactive audit protection in the database (RAPID)
US10348734B2 (en) Security bypass environment for circumventing a security application in a computing environment
US11816213B2 (en) System and method for improved protection against malicious code elements
US20240095402A1 (en) Methods and Systems for Recursive Descent Parsing
JP2006107505A (en) Api for access authorization
CN101414329A (en) Method for deleting in-service virus
TWI796683B (en) Method of client-side application control
TWI765690B (en) Method of application control based on observation mode
TWI802040B (en) Method of application control based on file attributes
GB2555569A (en) Enhanced computer objects security
CN115270101A (en) Application program control and management method executed on user side
TWI789944B (en) Method of application control based on different scanning schemes
KR100772455B1 (en) Dac strengthening apparatus and method for controlling classification and execution of process
JP4498886B2 (en) Access control device and program thereof