WO2004097653A1 - メッセージングウィルス対処プログラム等 - Google Patents
メッセージングウィルス対処プログラム等 Download PDFInfo
- Publication number
- WO2004097653A1 WO2004097653A1 PCT/JP2003/005330 JP0305330W WO2004097653A1 WO 2004097653 A1 WO2004097653 A1 WO 2004097653A1 JP 0305330 W JP0305330 W JP 0305330W WO 2004097653 A1 WO2004097653 A1 WO 2004097653A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- virus
- messaging
- electronic information
- received
- transmitted
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Definitions
- the present invention relates to a message transmitted along with the movement of electronic information, mainly an electronic mail.
- electronic information mainly an electronic mail.
- new viruses spoofed senders, and arbitrary viruses
- the present invention relates to a messaging virus countermeasure program that is effective against a virus that is transmitted with a file attached.
- the virus is a sender-spoofing virus that spoofed the sender's e-mail address
- the virus detection message was sent to the sender when a virus was detected as described above
- the The message is sent to the sender who has not sent the e-mail, that is, the sender who is not infected with the virus, and the message transmission is wasteful and annoying to the other party.
- the virus is an unspecified file attachment type virus that sends an e-mail with one or more arbitrary files in the computer attached to the virus
- the e-mail containing the virus is usually used.
- the virus is detected with a regular file other than the virus attached by the virus.
- processing is usually performed in which only the detected virus portion is deleted and the subsequent e-mail is transmitted.
- the file will be sent and the information will be leaked. This is a problem, for example, because unintended information is transmitted from outside the company.
- the notification message transmitted from the above-described conventional system indicating that a virus has been detected is generally uniform in content, and it is desired that the content be suitable for the transmission destination.
- Patent Document 1
- Patent Document 2
- the purpose of this effort is to provide a messaging virus countermeasure program for taking action against messaging viruses, which is effective against new viruses, sender spoofed viruses, and unspecified file attached viruses. Providing rams and the like.
- one aspect of the present invention is to compile measures against a messaging virus transmitted when electronic information is distributed on a network.
- Determining whether or not to perform the processing in the surveillance mode determining whether there is a risk of virus infection by the received electronic information based on predetermined conditions, If it is determined that there is a message, the received electronic information is stored without being distributed, and if it is determined that there is no risk of the virus infection, the step of distributing the received electronic information is performed; If it is determined that the processing is not to be performed in the mode, the received electronic mail is determined based on the characteristics of the known messaging virus whose characteristics are predetermined. Ru der possible to execute a process for processing information to the computer. Therefore, according to the present invention, when a new type of messaging virus appears, it is not necessary to stop all mail distribution, and the effect of stopping mail can be suppressed to a small level.
- the delivery of the electronic information is an email delivery
- the predetermined condition for determining whether there is a risk of virus infection is the received email.
- the information for causing the computer to execute a predetermined operation includes at least one of HTML code, script code, or binary data of a text program. It is characterized by.
- another aspect of the present invention is a messaging virus countermeasure program which causes a computer to execute a measure against a messaging virus transmitted with distribution of electronic information on a network.
- the messaging virus associated with the received electronic information based on the characteristics of the predetermined messaging virus, spoof the sender of the electronic information accompanied by the messaging virus.
- Dill Determining whether or not the received messaging virus is a source spoofed virus, and if it is determined that the received messaging virus is not a virus of a source spoofing type, a virus detection notification message notifying that a virus has been detected, Transmitting to the source of the received electronic information, and, if it is determined that the received messaging virus is a spoofed source virus, not transmitting the virus detection notification message to the computer. It is to let. Therefore, according to the present invention, it is possible to prevent a message from being transmitted to a place that is not actually infected with a virus, thereby causing trouble to the other party.
- another aspect of the present invention is a messaging virus that causes a computer to execute a measure against a messaging virus transmitted with electronic information distributed between a predetermined network and another network.
- the program receives the electronic information accompanied by the messaging virus
- the messaging virus associated with the received electronic information transmits the electronic information accompanied by the messaging virus based on the characteristics of the predetermined messaging wireless. Determining whether or not the sender is a sender spoofing virus; and, if determining that the received messaging virus is not a sender spoofing virus, a virus notifying that a virus has been detected.
- the detection notification message is transmitted to the received When the received messaging virus is transmitted to the source of the information and the received messaging virus is determined to be a source spoofing virus, it is determined whether or not the received electronic information is transmitted from the predetermined network. And when it is determined that the received electronic information is transmitted from the predetermined network, transmitting the virus detection notification message, wherein the received electronic information is the predetermined If it is determined that the message is not transmitted from the network, the computer does not transmit the virus detection notification message.
- another aspect of the present invention is a messaging virus countermeasure program which causes a computer to execute a measure against a messaging virus transmitted with distribution of electronic information on a network.
- the messaging window associated with the received electronic information is determined based on predetermined characteristics of the messaging virus. Determining whether or not the virus is an unspecified file-attached virus that transmits an attached file in a computer by attaching it to the computer; and the received message file is an unspecified file.
- the received electronic information is transmitted to a destination, and when it is determined that the received messaging virus is an unspecified file attached virus, the received electronic information is transmitted.
- the step of not transmitting information is to cause the computer to execute the step. Therefore, according to the present invention, it is possible to prevent information leakage due to the unspecified file-attached virus.
- another aspect of the present invention is to provide a computer with a measure against a messaging virus transmitted along with electronic information distributed between a predetermined network and another network.
- the messaging virus countermeasure program to be executed receives the electronic information accompanied by the messaging virus, the messaging virus associated with the received electronic information is transmitted to the computer according to predetermined characteristics of the messaging virus.
- still another aspect of the present invention is to cause a computer to execute a treatment for a messaging virus transmitted along with electronic information distributed between a predetermined network and another network.
- the messaging virus handling program receives the electronic information accompanied by the messaging virus Determining whether the received electronic information is transmitted from the predetermined network; and determining that the received electronic information is transmitted from the predetermined network. Transmits a message provided in advance for the predetermined network, and, if it is determined that the received electronic information is not transmitted from the predetermined network, is provided in advance for the other network. And transmitting the message to the computer.
- the predetermined network is a network provided in a predetermined company.
- another aspect of the present invention is a messaging virus countermeasure system which performs a measure against a messaging virus transmitted in accordance with the distribution of electronic information on a network, and has a feature in advance.
- yet another aspect of the present effort is a method for dealing with a messaging virus in a computer system that takes action against a messaging virus transmitted with distribution of electronic information on a network.
- the computer system comprises: If it is determined that processing is to be performed in a given mode, it is determined whether there is a risk of virus infection by the received electronic information based on predetermined conditions. Storing the received electronic information without distributing it, and determining that there is no risk of the virus infection, distributing the received electronic information, and the computer system does not perform the process in the alert mode And performing a process on the received electronic information based on the characteristics of the known messaging virus whose characteristics are predetermined. Further objects and features of the present invention will become apparent from the best mode for carrying out the invention described below. BRIEF DESCRIPTION OF THE FIGURES
- FIG. 1 is a configuration diagram according to an embodiment of a messaging virus countermeasure system to which the present invention is applied.
- FIG. 2 is a flowchart illustrating a process performed by the virus countermeasure unit 10 of the messaging virus countermeasure system 1 according to the embodiment.
- FIG. 3 is a flowchart showing one mode of processing based on the specifications of the e-mail.
- FIG. 4 is a diagram showing an example of a description of the setting file 22 for the action (step S11 in FIG. 3) based on the specifications of the electronic mail 6 in this embodiment.
- FIG. 5 is a flowchart showing a second mode of the treatment (step S11 in FIG. 2) based on the data of the electronic mail 6.
- FIG. 6 is a diagram showing an example of a description in the setting file 22 regarding the action (step S11) based on the specifications of the e-mail 6 in the second embodiment.
- FIG. 7 is a flowchart showing a third mode of the treatment (step S11 in FIG. 2) based on the data of the electronic mail 6.
- FIG. 8 is a diagram showing an example of a description in the setting file 22 regarding the action (step S11) based on the specifications of the e-mail 6 in the third embodiment.
- FIG. 9 is a flowchart showing a fourth mode of the action (step S11 in FIG. 2) based on the data of the electronic mail 6.
- FIG. 10 is a diagram showing a description example of the setting file 22 for the action (step S11) based on the data of the e-mail 6 in the fourth embodiment.
- FIG. 1 is a configuration diagram according to an embodiment of a messaging virus countermeasure system to which the present invention is applied.
- the messaging virus countermeasure system 1 shown in Fig. 1 is a system using the messaging virus countermeasure program according to the present invention. As shown in Fig. 1, the system is distributed between the corporate network 2 and an external network (Internet 3). This is a system that takes action against various viruses that are transmitted together with the e-mail 6 and the like that are sent.
- This messaging virus countermeasure system 1 has an alert mode for new viruses, and has special measures against spoofed sender viruses and unspecified file attached viruses, and is more effective than conventional systems. They try to take safe virus treatment.
- the in-company network 2 in Fig. 1 is a network such as a LAN (Local Area Network) installed in the company, and the client terminals (4a, 4b, ⁇ ) is connected.
- the client terminals (4a, 4b,...) are configured by a personal computer or the like, have a function of sending and receiving e-mails 6, and send and send the e-mails 6 to be processed by the messaging virus countermeasure system 1.
- the in-house network 2 and client terminals (4a, 4b, ...) are the main protection targets of the messaging virus countermeasure system 1, and in the present embodiment, the network in the company and the
- the client terminal is used, a network in an organization other than a company and a client terminal connected thereto may be used.
- the messaging exchange method used may be a method other than mail, such as file transfer or data download from the Web.
- the Internet 3 in FIG. 1 is connected to the enterprise network 2 and also to a plurality of client terminals (5a, 5b ⁇ -).
- the client terminals (5a, 5b,...) are also composed of personal computers, etc., and have the function of sending and receiving e-mails 6, and have the client of the corporate network 2.
- the Internet 3 is used.
- the Internet 3 may be used as long as it is a network outside the company that transmits and receives the e-mail 6 to and from the company network 2.
- the messaging virus countermeasure system 1 is a computer system provided between the in-house network 2 and the Internet 3, and includes the client terminal (4a, 4b,) and the client terminal ( E-mail 6 between 5a, 5b, ⁇ ) is sent and received via the system.
- the messaging virus countermeasure system 1 includes a virus countermeasure unit 10 and a storage unit 20.
- the virus countermeasure 10 is a part that receives an e-mail 6 transmitted between the company network 2 and the Internet 3 and executes predetermined processing for various viruses accompanying the e-mail 6. Although specific processing contents will be described later, the virus countermeasure means 10 is a main part in the present invention. Further, the virus countermeasure means 10 includes a computer program for instructing processing contents, a memory for reading the computer program, a control device for executing processing in accordance with the computer program, and the like.
- the storage means 20 is a part for storing the pattern definition file 21 and the setting file 22 and is constituted by a hard disk or the like provided in a computer system constituting the messaging virus countermeasure system 1.
- the pattern definition file 21 is a file that defines the characteristics (patterns) of each of the known domains, and is used for processing when the above-described virus countermeasure 10 detects a virus.
- the setting file 22 is a file in which what action to take with respect to each virus is set, and is read into the memory of the virus handling means 10 when the virus handling means 10 receives the e-mail 6. I will.
- the virus handling means 10 executes processing based on the contents described in the setting file 22. By changing the description in the setting file 22, the processing for each virus in the virus countermeasure unit 10 can be changed without changing the program of the virus countermeasure unit 10. Therefore, this messaging
- the virus response system 1 is a so-called customizable system.
- FIG. 2 is a flowchart illustrating a process performed by the virus countermeasure unit 10 of the messaging virus countermeasure system 1 according to the present embodiment.
- the virus countermeasure 10 receives an email 6 sent from the corporate network 2 to the Internet 3 or from the Internet 3 to the corporate network 2 before the email 6 reaches the destination (see FIG. Step 2 of S1).
- the source and destination of this e-mail 6 are client terminals inside the company (4a, 4b, ...), client terminals outside the company (5a, 5b, ... '), or network inside the company.
- the dinosaur handling means 10 reads the setting file 22 described above from the storage means 20 into the memory (step S2 in FIG. 2). Thereafter, the virus countermeasure 10 acquires the information regarding the received e-mail 6 and temporarily stores the information in the memory (step S3 in FIG. 2).
- the information acquired and held is information included in the header of the e-mail 6, information on the mail text, and information on the attached file.
- the sender of the email 6 the presence or absence of attachments, HTML (Hyperte Xt Markup Language), Java Script in the main text (Java is a registered trademark of Sun Microsystems, USA) , Etc.), and information on the presence or absence of binary data, such as the execution file of a program encoded in text.
- the virus countermeasure 10 determines whether or not the new virus alert mode is set (step S4 in FIG. 2).
- the new virus alert mode is a mode in which a new virus that is not defined in the pattern definition file 21 described above is alerted when a new virus appears. It is determined by the administrator of the messaging virus countermeasure system 1 and the result is input to the messaging virus countermeasure system 1. Based on this input information Then, the virus countermeasure 10 determines whether or not the new virus alert mode is set.
- the information that the new virus alert mode is set is entered,
- Step S4 in FIG. 2 If 10 is determined to be in the new wireless alert mode (Yes in step S4 in FIG. 2), there is a possibility that the received e-mail 6 may be infected with a virus at the destination. (Step S5 in FIG. 2). Specifically, the determination is made based on the following conditions in accordance with the description of the read setting file 22.
- the received e-mail 6 has an attached file.
- the text (in the text data) of the received e-mail 6 contains the binary data of the program converted to text.
- any one of the above conditions (1) to (4) is satisfied, it is determined that there is a risk of the virus infection. This is the highest level of alertness and is used when little information is available on a new species of virus. Normally, the virus is delivered using the attached file or HTML code in the body of the mail, so the above conditions are set.
- condition (1) if there is an attached file, it is determined that there is a risk of the virus infection, and if there is no attached file, it is determined that there is no risk of the virus infection. Good. This is used when it is known that a new type of virus will be delivered in an attached file. As described above, when information on a new virus is obtained to some extent, it is preferable to set conditions in accordance with the information.
- the condition setting for this determination can be performed by the setting file 22.
- condition (2) to (4) are equivalent to a program such as a so-called program in the mail body (in the text data), in other words, a predetermined operation in the computer.
- a program such as a so-called program in the mail body (in the text data)
- a predetermined operation in the computer in other words, a predetermined operation in the computer.
- This is an example of determining whether or not the information to be executed is included.
- these are merely examples. May be set.
- step S3 in FIG. 2 the information acquired and held in step S3 in FIG. 2 described above is used. It should be noted that whether or not the HTML (text data) of the received e-mail 6 contains the HTML code, the script code, and the binary data of the program in the form of text is determined by, for example, This is done from the perspective that there is no such thing, that there is no such thing as a programming language, and that there are no unstructured characters in the text.
- the virus countermeasure 10 sends the e-mail 6 to the destination. And send it (step S6 in FIG. 2).
- the e-mail 6 is not sent and is temporarily stored in the messaging virus countermeasure system 1. (Step S7 in Figure 2). For example, it is stored in the storage means 20. Then, after the characteristics of the new virus being warned are grasped and its contents are defined (set) in the pattern definition file 21, the stored e-mail 6 is taken out and described later.
- the processing from step S8 in FIG. Immediately, perform processing such as virus removal.
- the messaging virus countermeasure system 1 has an alert mode when a new type of virus whose characteristics are not yet known appears, and passes only the e-mail 6 that is clearly free from virus infection. This point is one of the major features of this messaging virus handling system 1.
- a new virus emerges, it is possible to ensure the safety and minimize the impact of the inability to deliver mail.
- the number of e-mails 6 that can be passed can be further increased, and the effect described above is enhanced.
- virus detection processing is performed on the e-mail 6 (step S8 in FIG. 2).
- the characteristics of the attached file and text of the electronic mail 6 are compared with the characteristics (patterns) of each virus defined in the pattern definition file 21 described above, and the corresponding Determine if there is any.
- the virus countermeasure 10 detects the virus. It is determined that the virus has been deleted (Yes in step S9 in FIG. 2), and the virus is deleted (step S10 in FIG. 2). In this process, the virus countermeasure 10 deletes the virus portion of the e-mail 6 to remove the virus. For example, if the virus is an e-mail 6 attachment, the attachment is removed.
- the virus countermeasure 10 performs an action on the e-mail 6 in which the virus is detected based on the specifications of the e-mail 6 (step S11 in FIG. 2).
- This step is one of the features of the present messaging virus countermeasure system 1, and based on the settings in the configuration file 22 described above, each action appropriate for each received email 6 and virus is executed.
- this processing that is not available in the conventional system can take more effective virus countermeasures suitable for each virus, and can solve the aforementioned problems .
- FIG. 3 shows one embodiment (first embodiment) of the processing. It is a flowchart shown. This example is for the case where the virus detected in the received e-mail 6 is a source-spoofing virus that spoofs the source e-mail address.
- the virus countermeasure unit 10 determines whether the detected virus is a source spoofed virus (step S21 in FIG. 3).
- the type of the virus is determined when the virus is detected by comparing it with the pattern definition file 21. This is based on the type of virus.
- step S12 if the detected virus is a sender-spoofing virus (Yes in step S21 in FIG. 3), the processing is performed without sending a virus detection notification message notifying that the virus has been detected. The subsequent e-mail 6 is sent to the destination (step S12).
- the virus detection notification message is transmitted to the infected person (step S22 of FIG. 3). . In this case, usually, the notification message is transmitted to the transmission source. Thereafter, the processed e-mail 6 is transmitted to the destination (step S12).
- FIG. 4 is an example of a description in the setting file 22 regarding the action (step S11) based on the specifications of the electronic mail 6 in this embodiment.
- "W32.KKK.H@mm” in the figure is an example of a sender-spoofing virus, and the description on the second line in FIG. 4 indicates that "W32.KKK.H@mm" If detected, this means that no virus detection notification message is sent.
- the virus countermeasure 10 executes the processing of steps S21 and S22 in FIG. 3 described above with reference to the relevant portion of the setting file 22 read into the memory.
- the virus detection notification message is not transmitted. Therefore, it is possible to prevent a virus detection notification message from being sent to a transmission source that has not actually transmitted the virus, thereby causing trouble for the other party. Also, unnecessary message transmission can be eliminated. On the other hand, sender spoofed viruses If not, a virus detection notification message will be sent to the infected person, which is effective in removing the virus and preventing further infection.
- FIG. 5 is a flowchart showing a second mode of the treatment (step S11 in FIG. 2) based on the specifications of the electronic mail 6. This example is also for the case where the detected virus is a source spoofed virus.
- the virus countermeasure means 10 determines whether the detected virus is a sender spoofed virus as in the case of the first aspect described above (step S10). Step S31 in FIG. 5). As a result, if the detected virus is not the sender's spoofed virus (No in step S31 of FIG. 5), a virus detection notification message is transmitted to the infected person as in the first embodiment. (Step S32 in FIG. 5). Then, the processed e-mail 6 is transmitted to the transmission destination (step S12).
- Step S33 in FIG. 5 it is determined whether the received e-mail is from a corporate domain. That is, it is determined whether or not it is an e-mail 6 from the corporate network 2. This determination is made by checking whether or not the domain of the source e-mail address of the received e-mail 6 is an in-company domain of a company that is protected by the messaging virus countermeasure system 1.
- a virus detection notification message is transmitted (step S32 in FIG. 5).
- Such a message may be sent to the sender of the e-mail 6, or may be predetermined such as all client terminals (4a, 4b,...) Connected to the corporate network 2. It may be performed at a plurality of locations.
- the processed e-mail 6 is transmitted to the destination (step S12).
- FIG. 6 is a description example of the setting file 22 regarding the action (step S11) based on the specifications of the electronic mail 6 in the second embodiment.
- "W3 2. KKK. H @ mm” in the figure shows an example of the sender spoofing virus, as in FIG. 4, and "abc.com” shows the company domain of company name abc. I have. “Ms g. KK ⁇ . ⁇ . Abe” is the file name that stores the virus detection notification message about “W3 2. KKK. H @ mm” sent to the company.
- a virus detection notification message is transmitted and the e-mail 6 is sent. If 6 is not from within the company, do not send a virus detection notification message. Therefore, it is possible to prevent a virus detection notification message from being sent to the sender, which does not actually transmit the virus, to the outside of the company, thereby causing trouble for the other party.
- a virus detection notification message is sent to employees who understand the processing in the messaging virus countermeasure system 1 to the inside of the company. In addition, it can be notified that there is a sender spoofed virus in the company. Furthermore, by making the message to be transmitted related to the virus directed to the company concerned, it is possible to inform the defense measures against the virus and how to remove the virus at an early stage, and to secure the security in the company network 2. can do.
- FIG. 7 is a flowchart showing a third mode of the action (step S11 in FIG. 2) based on the data of the electronic mail 6.
- the detected virus is This is an unspecified file-attached virus that sends an e-mail with one or more arbitrary files in the computer attached with the virus.
- the virus countermeasure unit 10 transmits a virus detection notification message that notifies the infected person that the virus has been detected (step S41 in FIG. 7). Thereafter, it is determined whether or not the detected virus is an unspecified file-attached virus (step S42 in FIG. 7). This determination is made based on the type of virus detected in the above-described virus detection process (Step S8 in FIG. 2).
- Step S43 in FIG. 7 the received e-mail is from a corporate domain. It is determined whether or not there is. This determination is the same as in the above-described second embodiment. As a result, if the received e-mail 6 is from the corporate domain (Yes in step S43 in FIG. 7), the received e-mail 6 is discarded (step S44 in FIG. 7). ), End the process without sending e-mail 6.
- step S12 if the e-mail 6 is not from the corporate domain (No in step S43 in FIG. 7), the e-mail 6 is transmitted to the destination (step S12). If it is determined in step S42 of FIG. 7 that the detected virus is not an unspecified virus attached virus (No in step S42 of FIG. 7), the electronic mail 6 is transmitted. Send it to the destination (step S12).
- FIG. 8 is an example of a description of the setting file 22 regarding the action (step S11) based on the data of the electronic mail 6 in the third embodiment.
- “W32.SS S.Worm@mm” in the figure is an example of an unspecified file attachment type virus, and “ab c.com” indicates a company domain of company name abc.
- the description on the third line in Fig. 8 indicates that if "W32.SS S. Wo rm @ mm" is detected and the domain of the source e-mail address is "abc.com", the e-mail will be discarded.
- the virus countermeasure means 10 executes the above-described steps S42 to S44 in FIG. 7 with reference to the relevant portion of the setting file 22 read into the memory.
- the e-mail 6 when the detected virus is an unspecified file-attached virus and the e-mail 6 is from within a company, the e-mail 6 is discarded, and the e-mail 6 is discarded. If is not from within the company, send e-mail6. Therefore, the client terminals (4a, 4b, ⁇ ) in the company are infected with the unspecified file-attached virus, and the client terminal that is not intended for the e-mail 6 sent from the client terminal Even if an arbitrary file is attached, the messaging virus countermeasure system 1 destroys the email 6 including the attached file, thus preventing information leakage from inside the company. Can be.
- FIG. 9 is a flowchart showing a fourth mode of the treatment (step S11 in FIG. 2) based on the specifications of the electronic mail.
- the content of the virus detection notification message when a virus is detected is to be changed depending on the destination.
- the virus countermeasure means 10 determines whether the received electronic mail 6 is from a corporate domain (step S51 in FIG. 9). This determination is the same as in the above-described second embodiment. As a result, if the received e-mail 6 is from the corporate domain (Yes in step S51 in FIG. 9), a virus detection notification message for the corporate infected person is sent to the infected person. (Step S52 in FIG. 9). On the other hand, if the received e-mail 6 is not from the corporate domain (No in step S51 in FIG. 9), a virus detection notification message for non-corporate infected persons is sent to the infected person. (Fig. 9 Step S53). Then, in either case, the e-mail 6 is transmitted thereafter (step S12).
- FIG. 10 is a description example of the setting file 22 regarding the action (step S11) based on the data of the electronic mail 6 in the fourth embodiment.
- “Abc.comm” in the figure indicates the company domain of the company name abc.
- "Msg.abbe” is a file storing virus detection notification messages for in-house infected persons
- “msg.notabc” is a file storing virus detection notification messages for non-corporate infected persons.
- the description on the second line in Figure 10 indicates that if a virus is detected and the domain of the sender's email address is "abe.com", the message stored in "msg.abc" is sent. Means Similarly, the description on the third line in Fig.
- the virus countermeasure 10 indicates that the message stored in "msg. Notabc" is detected when a virus is detected and the sender email address is other than the domain S "abc. Com". Means to send.
- the virus countermeasure 10 executes the above-described processes of steps S51 to S53 in FIG. 9 with reference to the relevant portion of the setting file 22 read into the memory.
- the virus when the virus is detected, if the e-mail 6 is from within the company, a message intended for the company is transmitted, while the e-mail 6 is sent from within the company. If not, send a message to outside the company.
- This makes it possible to provide appropriate information according to the destination of the message as compared with the case where a uniform message is transmitted as in the related art, and it is possible to further improve the security against the messaging virus.
- step SI1 a plurality of examples of the action (step SI1) based on the specifications of the e-mail 6 have been described.
- the messaging anti-virus system 1 performs processing in only one of these aspects. Although it may be set, it is usually set so that a plurality of processes shown in these modes can be executed, and based on the specifications of the received e-mail 6, Choose the right one and execute it.
- the process in the first mode and the process in the second mode are set to which of the processes is to be adopted.
- the messaging virus countermeasure system 1 provides more effective countermeasures against a new virus, a sender spoofing virus, an unspecified file attachment type virus, and the like than the conventional system. be able to.
- the so-called mail virus associated with the delivery of the e-mail 6 has been described. All messaging viruses that are transmitted with the transfer of electronic information, such as viruses that are transmitted with the transfer of files over the Internet. .
- the present invention can be used to take action against a messaging virus that is transmitted along with the movement of electronic information mainly composed of electronic mail.
- it is not necessary to interrupt all mail delivery when a new type of messaging virus appears, and the impact of mail interruption can be minimized.
- a sender spoofed virus is received, useless and annoying notification messages can be omitted.
- an unspecified file-attached virus is received, information leakage can be prevented.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
Claims
Priority Applications (8)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP09169572A EP2141604A3 (en) | 2003-04-25 | 2003-04-25 | Messaging virus protection program and the like |
EP09169571A EP2141603A1 (en) | 2003-04-25 | 2003-04-25 | Messaging virus protection program and the like |
PCT/JP2003/005330 WO2004097653A1 (ja) | 2003-04-25 | 2003-04-25 | メッセージングウィルス対処プログラム等 |
JP2004571283A JPWO2004097653A1 (ja) | 2003-04-25 | 2003-04-25 | メッセージングウィルス対処プログラム等 |
EP09169569A EP2141602A1 (en) | 2003-04-25 | 2003-04-25 | Messaging virus protection program and the like |
EP03816784A EP1619586A4 (en) | 2003-04-25 | 2003-04-25 | COUNTERMEASURE PROGRAM FOR A MESSAGING VIRUS |
US11/254,362 US20060041941A1 (en) | 2003-04-25 | 2005-10-20 | Messaging virus protection program and the like |
US12/437,322 US20090217380A1 (en) | 2003-04-25 | 2009-05-07 | Messaging virus protection program and the like |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2003/005330 WO2004097653A1 (ja) | 2003-04-25 | 2003-04-25 | メッセージングウィルス対処プログラム等 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/254,362 Continuation US20060041941A1 (en) | 2003-04-25 | 2005-10-20 | Messaging virus protection program and the like |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004097653A1 true WO2004097653A1 (ja) | 2004-11-11 |
Family
ID=33398110
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2003/005330 WO2004097653A1 (ja) | 2003-04-25 | 2003-04-25 | メッセージングウィルス対処プログラム等 |
Country Status (4)
Country | Link |
---|---|
US (2) | US20060041941A1 (ja) |
EP (4) | EP2141602A1 (ja) |
JP (1) | JPWO2004097653A1 (ja) |
WO (1) | WO2004097653A1 (ja) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7571483B1 (en) * | 2005-08-25 | 2009-08-04 | Lockheed Martin Corporation | System and method for reducing the vulnerability of a computer network to virus threats |
CN101836212B (zh) * | 2007-10-25 | 2015-10-14 | 富士通株式会社 | 信息提供方法、中继方法、信息保持装置、中继器 |
US9904783B2 (en) | 2015-02-09 | 2018-02-27 | Lenovo (Beijing) Co., Ltd. | Information processing method and electronic device |
CN104657663B (zh) * | 2015-02-09 | 2018-03-27 | 联想(北京)有限公司 | 一种信息处理方法及电子设备 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10187434A (ja) * | 1996-12-20 | 1998-07-21 | Nec Corp | セキュリティ確保方式 |
JPH11110211A (ja) * | 1997-09-30 | 1999-04-23 | Brother Ind Ltd | コンピュータシステム及びコンピュータウィルス対抗方法並びにコンピュータウィルス対抗プログラムが記録された記録媒体 |
JP2002063116A (ja) * | 2000-08-22 | 2002-02-28 | Xaxon R & D Corp | 電子メールプロキシサーバ |
JP2002232451A (ja) * | 2001-02-02 | 2002-08-16 | Layer Seven Co Ltd | 通信管理方法、通信監視装置、および、コンピュータシステム |
JP2003115878A (ja) * | 2001-10-04 | 2003-04-18 | Japan Telecom Co Ltd | メールサーバおよびメールサーバプログラム |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5960170A (en) * | 1997-03-18 | 1999-09-28 | Trend Micro, Inc. | Event triggered iterative virus detection |
US6785732B1 (en) * | 2000-09-11 | 2004-08-31 | International Business Machines Corporation | Web server apparatus and method for virus checking |
US20020095607A1 (en) * | 2001-01-18 | 2002-07-18 | Catherine Lin-Hendel | Security protection for computers and computer-networks |
JP2002223256A (ja) | 2001-01-29 | 2002-08-09 | Fujitsu Ltd | メールウイルス検出用コンピュータ・プログラム |
US20030018903A1 (en) * | 2001-03-19 | 2003-01-23 | Greca Damon G. Della | Method of containing spread of computer viruses |
WO2002093334A2 (en) * | 2001-04-06 | 2002-11-21 | Symantec Corporation | Temporal access control for computer virus outbreaks |
US20020147780A1 (en) * | 2001-04-09 | 2002-10-10 | Liu James Y. | Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway |
US7043757B2 (en) * | 2001-05-22 | 2006-05-09 | Mci, Llc | System and method for malicious code detection |
JP4566460B2 (ja) | 2001-06-07 | 2010-10-20 | パイオニア株式会社 | 電子メールのウィルスチェックシステム |
US7543334B2 (en) * | 2001-08-27 | 2009-06-02 | Mcafee, Inc. | Update status alerting for a malware scanner |
US7127740B2 (en) * | 2001-10-29 | 2006-10-24 | Pitney Bowes Inc. | Monitoring system for a corporate network |
US7458098B2 (en) * | 2002-03-08 | 2008-11-25 | Secure Computing Corporation | Systems and methods for enhancing electronic communication security |
US20050278533A1 (en) * | 2003-01-12 | 2005-12-15 | Yaron Mayer | System and method for secure communications |
-
2003
- 2003-04-25 EP EP09169569A patent/EP2141602A1/en not_active Withdrawn
- 2003-04-25 EP EP03816784A patent/EP1619586A4/en not_active Withdrawn
- 2003-04-25 WO PCT/JP2003/005330 patent/WO2004097653A1/ja active Application Filing
- 2003-04-25 EP EP09169572A patent/EP2141604A3/en not_active Withdrawn
- 2003-04-25 EP EP09169571A patent/EP2141603A1/en not_active Withdrawn
- 2003-04-25 JP JP2004571283A patent/JPWO2004097653A1/ja active Pending
-
2005
- 2005-10-20 US US11/254,362 patent/US20060041941A1/en not_active Abandoned
-
2009
- 2009-05-07 US US12/437,322 patent/US20090217380A1/en not_active Abandoned
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10187434A (ja) * | 1996-12-20 | 1998-07-21 | Nec Corp | セキュリティ確保方式 |
JPH11110211A (ja) * | 1997-09-30 | 1999-04-23 | Brother Ind Ltd | コンピュータシステム及びコンピュータウィルス対抗方法並びにコンピュータウィルス対抗プログラムが記録された記録媒体 |
JP2002063116A (ja) * | 2000-08-22 | 2002-02-28 | Xaxon R & D Corp | 電子メールプロキシサーバ |
JP2002232451A (ja) * | 2001-02-02 | 2002-08-16 | Layer Seven Co Ltd | 通信管理方法、通信監視装置、および、コンピュータシステム |
JP2003115878A (ja) * | 2001-10-04 | 2003-04-18 | Japan Telecom Co Ltd | メールサーバおよびメールサーバプログラム |
Non-Patent Citations (4)
Title |
---|
"Computer virus net no shinto de moi furuu shinshu eno taio ga zettai joken", NIKKEI INFORMATION STRATEGY, vol. 10, no. 8, 24 August 2001 (2001-08-24), pages 202 - 205, XP008163199 * |
"Komyo de senren sareta jisedai fukugo-gata virus no man'en ga yoso sareru", COMPUTOPIA, vol. 36, no. 421, 1 October 2001 (2001-10-01), pages 130 - 132, XP008100529 * |
"Mail filtering soft okiku chigau settei no jiyudo ango mail taio mo hajimaru", NIKKEI COMMUNICATIONS, no. 302, 20 September 1999 (1999-09-20), pages 121 - 127, XP002953145 * |
See also references of EP1619586A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP1619586A1 (en) | 2006-01-25 |
EP2141604A3 (en) | 2010-03-10 |
US20060041941A1 (en) | 2006-02-23 |
US20090217380A1 (en) | 2009-08-27 |
JPWO2004097653A1 (ja) | 2006-07-13 |
EP1619586A4 (en) | 2008-10-15 |
EP2141604A2 (en) | 2010-01-06 |
EP2141602A1 (en) | 2010-01-06 |
EP2141603A1 (en) | 2010-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10069851B2 (en) | Managing infectious forwarded messages | |
US10084801B2 (en) | Time zero classification of messages | |
US8590043B2 (en) | Method and systems for computer security | |
EP1385303B1 (en) | Method and device for preventing malicious computer code from propagating | |
US7865965B2 (en) | Optimization of distributed anti-virus scanning | |
WO2007061712A2 (en) | System and method for detection and notification of improper access of a wireless device | |
US8819823B1 (en) | Method and apparatus for notifying a recipient of a threat within previously communicated data | |
US9002771B2 (en) | System, method, and computer program product for applying a rule to associated events | |
US7257773B1 (en) | Method and system for identifying unsolicited mail utilizing checksums | |
JPH11110211A (ja) | コンピュータシステム及びコンピュータウィルス対抗方法並びにコンピュータウィルス対抗プログラムが記録された記録媒体 | |
US20090217380A1 (en) | Messaging virus protection program and the like | |
JP2008289157A (ja) | メッセージングウィルス対処プログラム等 | |
US20200097655A1 (en) | Time zero classification of messages | |
JP2002259187A (ja) | 異常ファイル検出および除去を目的とした着脱可能ファイル監視システム | |
KR100461984B1 (ko) | 바이러스 감염 클라이언트의 자발적 바이러스 치료를 유도하는 전자우편 메시지의 처리방법 | |
JP4515513B2 (ja) | メッセージングウィルス対処プログラム等 | |
JP2008278507A (ja) | メッセージングウィルス対処プログラム等 | |
JP2004046672A (ja) | ウイルスチェックシステム、メールクライアント、ウイルスチェック方法及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): JP US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004571283 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11254362 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2003816784 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2003816784 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11254362 Country of ref document: US |